Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA compliant. In short; while the software itself is HIPAA compliant, the users may still violate HIPAA rules if they do not use these services in an appropriate manner.
G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. G Suite incorporates all the necessary safeguards to make it a HIPAA compliant, and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.
Prior to the use of any software or cloud platform to store PHI, HIPAA requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) prior to the service being used with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms). Other G-Suite apps for paid users only.
A covered entity must review, sign and accept the business associate agreement (BAA) with Google before using any of its services to store PHI to remain HIPAA compliant. It should be noted that PHI can only be shared or used via a Google service that is specifically covered by the BAA. The BAA does not cover any third-party apps that are used in conjunction with G Suite. The CE must avoid using such services unless a separate BAA is obtained from the provider/developer of that app.
The BAA does not mean a HIPAA covered entity is able to use the service with PHI. Google will accept no responsibility for any misconfiguration of G Suite. Ultimately, it is the responsibility of the covered entity to make sure the services are configured correctly. If they fail to do this, they alone are in violation of HIPAA and will be prosecuted accordingly.
Covered entities should note that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, additional controls will be required to protect data on the individual devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is turned off.
In summary, to avoid a HIPAA violation, covered entities intent on using Google Drive to store ePHI must:
- Obtain a BAA from Google prior to using G Suite with PHI
- Configure access controls carefully
- Use 2-factor authentication for access
- Use strong passwords
- Turn off file syncing
- Set link sharing to off
- Restrict sharing of files outside the domain (Google offers advice if external access is required)
- Set the visibility of documents to private
- Disable third-party apps and add-ons
- Disable offline storage for Google Drive
- Disable access to apps and add-ons
- Audit access and account logs and shared file reports regularly
- Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
- Back up all data uploaded to Google Drive
- Ensure staff are training on the use of Google Drive and other G Suite apps
- Never put PHI in the titles of files
Google has released a Guide for HIPAA Compliance with G Suite to assist covered entities with implementing their services. If you have any other queries regarding your organisation’s use of Google Drive, or other cloud-based platforms, you are advised to seek legal counsel to ensure that your organisation remains HIPAA compliant.