Google Drive is one of the oldest and most well known cloud storage and productivity suites. Although Google Drive launched in 2012, Google’s productivity platform dates back to 2006, when Google Docs and Google Sheets first launched. Over the years, Google would more closely integrate these services before moving them under the Google Drive and Google Suite brand. Today, Google Drive and Google’s entire suite of collaborative tools are referred to as Google Workspace.
For more than a decade, organizations have relied on Google’s suite of tools to collaborate remotely in real time. Google’s relatively low cost options have allowed for startups and small to medium-sized organizations across a variety of industries to thrive. This includes healthcare related organizations, startups, and nonprofits. We’ll briefly cover how healthcare organizations can use Google Drive while remaining compliant with HIPAA.
Is Google Drive HIPAA Compliant?
Because there is no such thing as a HIPAA certification, evaluating if an app can be used by HIPAA bound organizations can be difficult. Luckily, Google Drive and certain Google Workspace services can be used by HIPAA covered entities, provided certain conditions are met and maintained while your organization remains a Google customer.
What’s needed to make Google Drive HIPAA compliant?
Users seeking to make Google Drive HIPAA compliant must perform a variety of actions (including but not limited to):
- Sign and execute a business associate agreement with Google. While Google Drive can be used in a HIPAA compliant manner, covered entities will not be compliant with HIPAA if they do not first sign a business associate agreement (also known as a BAA). This is true of other cloud service providers as well. You can learn more about Google’s BAA here and here. Note that Google uses the term “Business Associate Amendment” and “Business Associate Addendum” to interchangeably refer to a document that serves the role of a business associate agreement.
- Limit PHI to approved core services. Google only allows for PHI to be stored or shared in designated core services like Gmail, Calendar, and Drive and several others. For a full list of approved services, see here. In order to do this, you’ll need to implement the appropriate settings and controls in your Google Workspace applications and environment. Google provides a detailed explanation of some of the settings and controls that might make sense to implement in its G Suite and Cloud Identity HIPAA Implementation Guide.
- Protect PHI by ensuring it's only accessible to authorized parties on a need to know basis. Within the core services where PHI is allowed to be shared, ensure that it’s only available to the correct parties at the right time.
How can you protect PHI in Google Drive?
Most of the decisions you’ll need to make regarding the security of PHI revolve around the HIPAA Security Rule. The HIPAA Security Rule will inform what types of controls and permissions make sense for your organization to deploy. But some of the most common considerations you’ll want to make will likely include (but are not limited to):
- Enforcing authentication standards like two factor authentication and strong passwords
- Regularly monitoring logs and Admin console reports
- Disabling search history for services where search history might be accessed beyond individual accounts
- Enforcing restricted permissions settings for files, documents, and other content containing PHI. Wherever possible, you should configure default permissions and visibility settings to private and turn off link sharing
Some of these settings can be managed and configured within Google Workspace, however; you’ll likely find that you’ll need to invest in third party security tools for optimal visibility and control over PHI.
For example, a number of HIPAA covered entities rely on Nightfall’s Data Loss Prevention (DLP) platform for complete insight into whether users are violating the file permissions policies necessary to maintain HIPAA compliance in Google Drive. Nightfall provides a level of granularity and visibility not provided by Google’s native admin panel and lets you aggregate user activity to measure PHI risk over time, something required by the HIPAA Security Rule. For more information, grab a copy of our Guide to DLP for Google Drive.
Being HIPAA compliant means asking the right questions
Are you looking for other HIPAA-compliant SaaS applications to enable digital transformation within your healthcare organization? Grab a copy of our Guide to HIPAA Compliance Checklist. It has important details you’ll want to ask any SaaS provider as a HIPAA covered entity.