Hushmail Blog

Is Google Drive HIPAA compliant?

Written by Hushmail | Jun 29, 2023 5:25:54 PM

You may already be using Google to run your practice. But one big question is looming in your mind.

Is Google Drive HIPAA compliant? 🤔

Yes and no. It comes down to how you store and access files, having a signed BAA, and if your Google Drive has any security holes (that you may not even know about!).

The good news is Google Drive can be HIPAA compliant if it's configured and used correctly—and this guide is going to walk you through how to do it. 

Let's dive in 👇

Table of Contents

  1. The nuts and bolts of Google Drive HIPAA compliance
  2. HIPAA-compliant Google Drive: 6 suggestions to make your system safer
    1. Tighten sharing requirements
    2. Train everyone in your practice on how to use Google Drive (and its risks)
    3. Turn off Google Drive’s search history settings
    4. Be careful what files and folders are called
    5. Disable any third-party apps
    6. Set up security alerts (and stay on top of them)
  3. The limitations for using Google Drive to stay HIPAA compliant
  4. Google Drive is HIPAA-Compliant—with some tweaks
  5. Is Google Drive HIPAA Compliant FAQs

What are the main options for HIPAA-compliant email?

Let’s get one thing straight—Google Drive is not HIPAA compliant out-of-the-box.

Some of its features, like sharing and access settings along with third-party apps, leave Google Drive at risk of not meeting HIPAA compliance standards. But if it’s configured correctly (and used carefully) Google Drive can be a good way to store documents and keep files safe at your practice.

The first step to make Google Drive HIPAA compliant is to sign up for a paid Google Workspace account (previously called G Suite) as it comes with a business associate agreement (BAA).

Why does this matter? 🤔

Well, Google ensures that any of its products covered by the BAA meet the HIPAA requirements. This is important because healthcare professionals that need to be HIPAA compliant must have a BAA with their business associates. This ensures that the associates take responsibility for maintaining the security and privacy of the records. Google also uses encryption on their servers to secure files, which goes a (really) long way to demonstrate you can manage risks around PHI and safeguard client records.

Unsure if you need a BAA to comply with HIPAA requirements?

👉 We’ve put together a guide to help you figure out if you need a Business Associate Agreement.

Even with these security features, staying HIPAA compliant with Google Drive ultimately depends on how you use and configure the product. The good news is there are several steps you can take to make Google Drive safer and support your HIPAA compliance.

HIPAA-compliant Google Drive: 6 suggestions to make your system safer

Google has an entire guide that explains what practitioners need to do to make their Google Drive HIPAA-compliant.

It’s complex—but we’ve read the guide back-to-front, so you don’t have to.

Although you need to consider your own practice's needs and security, here are some steps and actions we suggest you take to assist with your HIPAA compliance 👇

1. Tighten sharing requirements

You must only share documents with intended recipients, whether it's your clients or external organizations like insurers. 

Check what sharing setting a specific file or folder has by clicking the “Share” or “Get link” options from the dropdown menu. Here’s what you should see:

Never have documents and folders set to the setting where the document is open to Anyone with the link. This setting means anyone that clicks on the link, no matter where it's stored or how they found it, will get access to the document or folder. Hello, unsecured client information!

If the sharing settings are on Anyone with the link, just click the drop-down box next to the padlock and change them to Restricted like so:

Now, the only people that can access the document are those who you have invited over email. Remember, this can also be revoked at any time. Just click next to the person’s name, and select remove access:

Make sure you keep on top of your sharing settings and restrict document access each time you create a new file or folder. It’s the best way to monitor who has access to client files and can view PHI. To be extra careful that these files don’t fall into the wrong hands, you can also restrict which documents can be shared outside your practice or set the default file visibility to “Private”.

To do this, sign into your Google Admin console and select Apps -> Google Workspace -> Drive and Docs. Then:

  1. Click Sharing settings -> Sharing options
  2. The change applies to all your documents. Make sure the top organizational unit is selected.
  3. Next, you must decide the highest level of sharing you want to allow. For example, if you're only using Google Drive internally within your practice, you can go to the Sharing outside of your organization section and click Off. If not, you can click On and decide which settings match the highest level of sharing that your practice needs.

Hit save—and you're done!

2. Train everyone in your practice on how to use Google Drive (and its risks)

Just because you know the ins and outs of Google Drive and its security features doesn't mean your administrator or colleagues do.

It's important to train everyone in your practice on how to use Google Drive securely to protect client data. Some simple (yet important) steps to take include:

  • Train your administrator to create strong passwords and enable two-factor authentication on their Google accounts. Encourage them to steer clear of passwords that are easy to guess (no birthdays or children’s names!). Instead, suggest always using a strong, unique password that you keep track of in a secure and reliable way. Password managers make this easy.
  • Set up a shared folder for client files and restrict access to only authorized personnel. This can be done by creating a separate folder for each client and assigning specific staff members access to only the folders they need.

Speaking of settings…

3. Turn off Google Drive’s search history settings

Don’t forget that Google Drive is still a part of Google’s (huge) collection of services that includes a search engine and data collection.

Here’s a quick breakdown of what the Google Drive Search History stores and what Google uses that information for:

To protect client information, turn off search history for services where it may be stored and accessed beyond the individual account and follow a rule of “minimally necessary”. Basically, if you don’t need the information—don’t collect it!

It’s better to be safe than sorry, so it’s a good idea to turn off Google Workspace search history completely. Inside your Google Drive settings, under the Privacy section, click Manage Search History to view your current settings. If you see this:

It means Google Workspace is storing your search history, but it’s an easy fix. Just click the box and find the search history toggle:

Move the toggle to off… and you’re set!

4. Be careful what files and folders are called

Naming folders or files after clients or their medical conditions may be a simple way to keep records organized, but it also puts your compliance at risk.

Our advice?

Don’t put PHI in the titles of files, folders, or Shared Drives. HHS requires practitioners to store client information using a system called “de-identification” where health information cannot be used to identify an individual.

To meet this standard, label documents and folders stored in Google Drive in a way that clients can be identified without relying on their name, like using a client number. Although HHS guidance isn't definitive on how practitioners should name files and folders, it advocates for a numerical identification system.

Let’s say you have a client named Joe Blogs who visited your practice for an initial consultation on April 15th. You can then create an index that matches Mr. Blogs’ name with a unique number—either completely random or tied to the date of his first visit. When you need to find the client’s records, just refer to your index and match it with the file number:


Now, the key to this system working is to keep the numerical index and your client files separate. The index should be stored 

Now, the key to this system working is to keep the numerical index and your client files separate. The index should be stored outside your Google Drive in a place that’s secure so that only people with permission can access it on a strictly need-to-know basis.

While it might be a bit of a hassle to get this system set up, it will help to keep your practice compliant and can facilitate both paper and electronic storage.

5. Disable any third-party apps

Many third-party apps ask for access to drives or files during installation, which can create a compliance risk as these apps aren’t covered under Google’s BAA.

Google recommends disabling third-party applications that can be installed, such as apps like Google Docs add-ons. Each third-party app you have installed can be disconnected in your Google Drive settings. Just select Manage apps:


And then disconnect each app from your Google Drive using the drop-down box next to it:

Easy!

6. Set up security alerts (and stay on top of them)

Google Drive is a smart system (hey, it’s Google, after all!)

Any apps you use are wired together, which means you can also set up a security alarm to alert you to any changes in your security settings. This means Google can ping you if it notices suspicious login attempts or password changes. It can also send you an alert if someone is granted access to Google Drive, if they are given administrator privileges, or if any changes have been made to your Google Workspace Drive settings.

It’s super simple to set these alerts up:

  • Sign in to your Google Admin console. This must be your paid (or administrator) account, not a free Gmail account you’re using!
  • In the Admin console, click Menu  âžˇ Security ➡ Alert Center.
  • From the banner at the top of the page, click Turn On.

It's also a good idea to review reports and logs regularly to examine potential security risks or unusual behavior in your Google Drive account. Doing so makes it easier to pick up on whether client records are being accessed unnecessarily or if documents have been accidentally shared with the wrong person. If you pick up HIPAA breaches and report them early, it can impact what penalties are assessed.

The limitations for using Google Drive to stay HIPAA compliant

Google Drive is a great choice to store files and folders at your practice, but—and this is crucial—it’s not built for healthcare.

It may make sense on paper to stick with just using Google products for file storage. But once you add in other Google products like emails and forms, keeping your system HIPAA compliant does get complicated.

For example, Gmail isn’t HIPAA compliant out of the box. You may need to buy third-party encryption to secure emails, and setting it up to stay compliant isn’t easy.

The same can be said for Google Forms. If you already use Google Drive for client records, Google Forms may feel like a simple solution for collecting information. But these forms are not built for healthcare practitioners, so you won’t find a template that meets your practice’s needs. Just look at the templates available:


Not a client intake form in sight.

For practitioners who need to be HIPAA compliant without spending weeks customizing Google’s products, a simple solution is to combine Google Drive with a specialized healthcare email and forms platform.

Enter: Hushmail

Hushmail’s healthcare-centric forms provide practitioners with out-of-the-box templates that have features like body charts and legally binding e-signatures to make secure communication a breeze. You can:

Google Drive is HIPAA-Compliant—with some tweaks

So, is Google Drive HIPAA compliant? 🤔

The answer is it can be—but you must put in the work to tighten the settings and minimize the risk of unauthorized access to client data. Everyone with access should be trained on how to use Google Drive. And make sure settings and permissions are monitored regularly to track who has access to what.

Even so, Google Drive covers document and file storage. Your practice still needs to talk to clients and gather their information. And here’s where Google’s Gmail and Forms products are not a good fit for healthcare practitioners.

With the extra complexity (and cost) of using Google products for communication and practice forms, most healthcare professionals will find it’s much easier (and better) to use a service like Hushmail instead!

If you think the combination of Google Drive and Hushmail ticks all your HIPAA compliance needs, we’re happy to get you started with Hushmail for Healthcare today—sign up here:

Is Google Drive HIPAA Compliant FAQs

Is Google Drive safe for medical records?

Google Drive can be used to store medical records if steps are taken to protect client information. This is because it already has features like encryption, password protection, and two-factor authentication built in to help protect data. Practices must sign a Business Associate Agreement (BAA) with Google before using Google Drive for storing medical records and take measures like restricting sharing settings to ensure client data remains confidential and secure.

Which Google plan is HIPAA compliant?

Every Google Workspace plan includes a BAA, so essentially, any plan can be HIPAA compliant. However, you must still sign this BAA to meet HIPAA requirements. Personal Google accounts (free Gmail) are not HIPAA compliant and should not be used.