Yes, you can use Google Drive in a HIPAA compliant environment, but only if you’re careful! That’s the quick answer. Read on to learn more!
Every day we hear from practitioners who want to use Google’s G Suite in their medical practice. G Suite is easy-to-use, affordable, and can be HIPAA compliant. Most people want G Suite for Gmail, but having access to Google Drive and Docs really makes the subscription cost worthwhile.
In this article you will learn:
Google’s G Suite is a collection of collaboration and productivity tools. You’re probably using some of these tools already: Gmail, Docs, Drive, Calendar, Meet and more.
Google’s G Suite is a paid subscription service. If your email address ends with @gmail.com you are using Google’s free Gmail and apps, not G Suite.
What’s the difference between G Suite and free Gmail? Basically, the difference is having @gmail.com or @yourcompany.com at the end of your email address. You also get more cloud storage, phone/email support, additional security options and administrative controls with G Suite,.
You can use G Suite in a HIPAA compliant manner, but it is not HIPAA compliant right out of the box. Free Gmail/Google Apps cannot be HIPAA compliant since Google will not provide a BAA for free Gmail accounts. We have a bunch of articles about making G Suite HIPAA compliant:
Google will provide a BAA for G Suite account holders. Need help finding it? Check out this help article: https://support.google.com/a/answer/3407074?hl=en
Google’s BAA does not cover every service in G Suite. Protected Health Information (PHI) can be used in the following G Suite Apps: Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Chat, Hangouts Meet, Keep, Google Cloud Search, Google Voice (managed users only), Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.
Google Drive is included in that list! If you configure file sharing properly in Google Drive, it’s a great choice for HIPAA compliant cloud storage.
Google Drive is a secure, easy-to-use cloud storage solution. It’s very easy to create and share files and folders. This is great from a collaboration standpoint, but not great from a HIPAA-standpoint. This is why it’s imperative that you set up Google Drive correctly to avoid sharing documents with the wrong recipients!
Google Drive is kind of like a cross between Dropbox (where you can back up your files to the cloud) and Microsoft Office (for creating and editing documents). It’s all in your web browser, and is really easy to learn and use.
You can upload any type of file to Drive and convert files to a Google document format: Docs (like Microsoft Word), Sheets (like Microsoft Excel) or Slides (like Microsoft PowerPoint).
How much cloud storage do you get? There are three levels of G Suite, and each has a different price/user and amounts of Drive cloud storage:
Google Docs are intuitive collaboration and documentation tools. They are web-based and very similar to Microsoft Word, Excel and PowerPoint. You can convert many types of files into Google Docs formats:
And the answer is YES! Google Docs (with a paid G Suite subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google’s HIPAA Implementation Guide (linked at the end of this article).
Google’s BAA covers Google Drive and Docs, so these services are appropriate for storing PHI. Google’s HIPAA Implementation Guide recommends the following:
Yes, Google Drive and Docs is safe for storing medical records or confidential information, but only if it’s configured correctly. Files in Google Drive and all file metadata (titles and comments) are encrypted. Learn more about Google’s Security focus here: https://support.google.com/googlecloud/answer/6056693?hl=en&visit_id=637275245913296513-3573186912&rd=1
Yes! Google Drive and the rest of G Suite is very mobile friendly. You can use Google Drive in a HIPAA compliant manner if you use the Google Drive app on your smartphone or tablet AND you have G Suite configured properly.
G Suite subscriptions include a Mobile Device Management system which allows you to require screenlocks or passwords in addition to removing confidential data from devices as needed.
Google’s G Suite is perfect for smaller medical practices that need HIPAA compliant email, cloud storage, telehealth and more – but what if you already have a solution for email and telehealth and you just need cloud storage? You might want to look at other options, just to see other offerings.
We have an article that quickly reviews 11 HIPAA compliant cloud storage options: https://adeliarisk.com/hipaa-compliant-cloud-storage/
One of the most popular cloud storage solutions is Dropbox. Here’s a quick comparison between Google Drive (as a part of G Suite, not the free version) and Dropbox:
| Google Drive | Dropbox | |
| Sign BAA? | Yes | Yes |
| Cost | – $6/user/month Basic – $12/user/month Business – $25/user/month Enterprise | – $17/month for 1 user – $12.50/user/month for 3 users |
| Storage | Unlimited | 3-5TB depending on plan |
| Two-step verification | Yes | Yes |
| Encryption at rest | Yes | Yes |
| Encryption in transit | Yes | Yes |
| Remote wipe* | Yes | Yes |
*in case a device is lost or stolen, it’s important to be able to remove files containing PHI
If you’re considering Google Drive, Dropbox or any other cloud storage solution, it’s important to review the actual features that you intend to use. We didn’t look at every feature of these solutions in our comparison, so be sure to check their websites for more information.
Most practitioners who want to use Google Drive in their practice want to use the entire G Suite service. You need to set up your G Suite account properly. Google strives to make services easy to use, collaborate and share — which is great, but HIPAA requires you to limit sharing. You only want to share things with intended recipients!
To make G Suite and Google Drive HIPAA compliant, start with the following:
From there you’ll decide if you want to tackle this yourself — which is totally doable, by the way!
We created an ebook to walk you through your entire G Suite system and set it up properly. Learn more about The Complete Guide to HIPAA-Compliant G Suite.
We also have services where we set up your G Suite system, or audit your G Suite system to check your work. Contact us if you’re interested in learning more.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!
