You may already be using Google to run your practice. But one big question is looming in your mind.
Is Google Drive HIPAA compliant? 🤔
Yes and no. It comes down to how you store and access files, having a signed BAA, and if your Google Drive has any security holes (that you may not even know about!).
The good news is Google Drive can be HIPAA compliant if it's configured and used correctly—and this guide is going to walk you through how to do it.
Let's dive in 👇
Table of Contents |
Let’s get one thing straight—Google Drive is not HIPAA compliant out-of-the-box.
Some of its features, like sharing and access settings along with third-party apps, leave Google Drive at risk of not meeting HIPAA compliance standards. But if it’s configured correctly (and used carefully) Google Drive can be a good way to store documents and keep files safe at your practice.
The first step to make Google Drive HIPAA compliant is to sign up for a paid Google Workspace account (previously called G Suite) as it comes with a business associate agreement (BAA).
Why does this matter? 🤔
Well, Google ensures that any of its products covered by the BAA meet the HIPAA requirements. This is important because healthcare professionals that need to be HIPAA compliant must have a BAA with their business associates. This ensures that the associates take responsibility for maintaining the security and privacy of the records. Google also uses encryption on their servers to secure files, which goes a (really) long way to demonstrate you can manage risks around PHI and safeguard client records.
Unsure if you need a BAA to comply with HIPAA requirements? 👉 We’ve put together a guide to help you figure out if you need a Business Associate Agreement. |
Even with these security features, staying HIPAA compliant with Google Drive ultimately depends on how you use and configure the product. The good news is there are several steps you can take to make Google Drive safer and support your HIPAA compliance.
Google has an entire guide that explains what practitioners need to do to make their Google Drive HIPAA-compliant.
It’s complex—but we’ve read the guide back-to-front, so you don’t have to.
Although you need to consider your own practice's needs and security, here are some steps and actions we suggest you take to assist with your HIPAA compliance 👇
You must only share documents with intended recipients, whether it's your clients or external organizations like insurers.
Check what sharing setting a specific file or folder has by clicking the “Share” or “Get link” options from the dropdown menu. Here’s what you should see:
Never have documents and folders set to the setting where the document is open to Anyone with the link. This setting means anyone that clicks on the link, no matter where it's stored or how they found it, will get access to the document or folder. Hello, unsecured client information!
If the sharing settings are on Anyone with the link, just click the drop-down box next to the padlock and change them to Restricted like so:
Now, the only people that can access the document are those who you have invited over email. Remember, this can also be revoked at any time. Just click next to the person’s name, and select remove access:
Make sure you keep on top of your sharing settings and restrict document access each time you create a new file or folder. It’s the best way to monitor who has access to client files and can view PHI. To be extra careful that these files don’t fall into the wrong hands, you can also restrict which documents can be shared outside your practice or set the default file visibility to “Private”.
To do this, sign into your Google Admin console and select Apps -> Google Workspace -> Drive and Docs. Then:
Hit save—and you're done!
Just because you know the ins and outs of Google Drive and its security features doesn't mean your administrator or colleagues do.
It's important to train everyone in your practice on how to use Google Drive securely to protect client data. Some simple (yet important) steps to take include:
Speaking of settings…
Don’t forget that Google Drive is still a part of Google’s (huge) collection of services that includes a search engine and data collection.
Here’s a quick breakdown of what the Google Drive Search History stores and what Google uses that information for:
To protect client information, turn off search history for services where it may be stored and accessed beyond the individual account and follow a rule of “minimally necessary”. Basically, if you don’t need the information—don’t collect it!
It’s better to be safe than sorry, so it’s a good idea to turn off Google Workspace search history completely. Inside your Google Drive settings, under the Privacy section, click Manage Search History to view your current settings. If you see this:
Naming folders or files after clients or their medical conditions may be a simple way to keep records organized, but it also puts your compliance at risk.
Our advice?
Don’t put PHI in the titles of files, folders, or Shared Drives. HHS requires practitioners to store client information using a system called “de-identification” where health information cannot be used to identify an individual.
To meet this standard, label documents and folders stored in Google Drive in a way that clients can be identified without relying on their name, like using a client number. Although HHS guidance isn't definitive on how practitioners should name files and folders, it advocates for a numerical identification system.
Let’s say you have a client named Joe Blogs who visited your practice for an initial consultation on April 15th. You can then create an index that matches Mr. Blogs’ name with a unique number—either completely random or tied to the date of his first visit. When you need to find the client’s records, just refer to your index and match it with the file number:
Now, the key to this system working is to keep the numerical index and your client files separate. The index should be stored
Now, the key to this system working is to keep the numerical index and your client files separate. The index should be stored outside your Google Drive in a place that’s secure so that only people with permission can access it on a strictly need-to-know basis.
While it might be a bit of a hassle to get this system set up, it will help to keep your practice compliant and can facilitate both paper and electronic storage.
Many third-party apps ask for access to drives or files during installation, which can create a compliance risk as these apps aren’t covered under Google’s BAA.
Google recommends disabling third-party applications that can be installed, such as apps like Google Docs add-ons. Each third-party app you have installed can be disconnected in your Google Drive settings. Just select Manage apps:
And then disconnect each app from your Google Drive using the drop-down box next to it:
Easy!
Google Drive is a smart system (hey, it’s Google, after all!)
Any apps you use are wired together, which means you can also set up a security alarm to alert you to any changes in your security settings. This means Google can ping you if it notices suspicious login attempts or password changes. It can also send you an alert if someone is granted access to Google Drive, if they are given administrator privileges, or if any changes have been made to your Google Workspace Drive settings.
It’s super simple to set these alerts up:
It's also a good idea to review reports and logs regularly to examine potential security risks or unusual behavior in your Google Drive account. Doing so makes it easier to pick up on whether client records are being accessed unnecessarily or if documents have been accidentally shared with the wrong person. If you pick up HIPAA breaches and report them early, it can impact what penalties are assessed.
Google Drive is a great choice to store files and folders at your practice, but—and this is crucial—it’s not built for healthcare.
It may make sense on paper to stick with just using Google products for file storage. But once you add in other Google products like emails and forms, keeping your system HIPAA compliant does get complicated.
For example, Gmail isn’t HIPAA compliant out of the box. You may need to buy third-party encryption to secure emails, and setting it up to stay compliant isn’t easy.
The same can be said for Google Forms. If you already use Google Drive for client records, Google Forms may feel like a simple solution for collecting information. But these forms are not built for healthcare practitioners, so you won’t find a template that meets your practice’s needs. Just look at the templates available:
Not a client intake form in sight.
For practitioners who need to be HIPAA compliant without spending weeks customizing Google’s products, a simple solution is to combine Google Drive with a specialized healthcare email and forms platform.
Enter: Hushmail
Hushmail’s healthcare-centric forms provide practitioners with out-of-the-box templates that have features like body charts and legally binding e-signatures to make secure communication a breeze. You can:
So, is Google Drive HIPAA compliant? 🤔
The answer is it can be—but you must put in the work to tighten the settings and minimize the risk of unauthorized access to client data. Everyone with access should be trained on how to use Google Drive. And make sure settings and permissions are monitored regularly to track who has access to what.
Even so, Google Drive covers document and file storage. Your practice still needs to talk to clients and gather their information. And here’s where Google’s Gmail and Forms products are not a good fit for healthcare practitioners.
With the extra complexity (and cost) of using Google products for communication and practice forms, most healthcare professionals will find it’s much easier (and better) to use a service like Hushmail instead!
If you think the combination of Google Drive and Hushmail ticks all your HIPAA compliance needs, we’re happy to get you started with Hushmail for Healthcare today—sign up here:
Google Drive can be used to store medical records if steps are taken to protect client information. This is because it already has features like encryption, password protection, and two-factor authentication built in to help protect data. Practices must sign a Business Associate Agreement (BAA) with Google before using Google Drive for storing medical records and take measures like restricting sharing settings to ensure client data remains confidential and secure.
Every Google Workspace plan includes a BAA, so essentially, any plan can be HIPAA compliant. However, you must still sign this BAA to meet HIPAA requirements. Personal Google accounts (free Gmail) are not HIPAA compliant and should not be used.