Call now for cybersecurity help: 888-646-1616
Yes, Google Drive can be HIPAA compliant in 2025, but only if you’re careful! That’s the quick answer to "Is Google Drive HIPAA Compliant in 2025?", Read on to learn how to make Google Drive HIPAA-compliant in 2025.
Every day we hear from practitioners who want to use Google Workspace in their medical practice. Google Workspace (Previously known as G Suite) is easy-to-use, affordable, and can be HIPAA compliant, and secure for medical records. Most people want Google Workspace for Gmail, but having access to Google Drive and Docs really makes the subscription cost worthwhile.
In this article you will learn:
Is Your Google Drive HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit.. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance.
Google Workspace (G Suite) is a collection of collaboration and productivity tools. You’re probably using some of these tools already: Gmail, Google Docs, Google Drive, Google Calendar, Google Meet, and more.
Google Workspace is a paid subscription service. If your email address ends with @gmail.com you are using Google’s free Gmail and apps, not Google Workspace.
What’s the difference between Google Workspace and free Gmail? Basically, the difference is having @gmail.com or @yourcompany.com at the end of your email address. You also get more Google Cloud storage, phone/email support, additional security options, and administrative controls with Google Workspace (G Suite).
You can use Google Workspace (including Google Drive) in a HIPAA-compliant manner that is secure for medical records, but it is not HIPAA-compliant right out of the box. Free Gmail/Google Apps cannot be HIPAA compliant since Google will not provide a BAA for free Gmail accounts. We have a bunch of articles about making Google Workspace HIPAA compliant:
Google will provide a BAA for Google Workspace account holders. Need help finding it? Check out their help article.
Google’s BAA does not cover every service in Google Workspace (G suite). Protected Health Information (PHI) can be used in the following Google Workspace Apps: Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Chat, Hangouts Meet, Keep, Google Cloud Search, Google Voice (managed users only), Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.
Google Drive is included in that list! If you configure file sharing properly in Google Drive, it’s a great choice for HIPAA-compliant cloud storage.
But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace/ Google Drive HIPAA compliant.
Seriously – Google CLEARLY says the following about their HIPAA Compliance:
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google-covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, Google Workspace CAN be and HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure.
What our clients say
Google Drive is a secure, easy-to-use cloud storage solution. It’s very easy to create and share files and folders. This is great from a collaboration standpoint, but not great from a HIPAA standpoint. This is why it’s imperative that you set up Google Drive correctly to avoid sharing documents with the wrong recipients!
Google Drive is kind of like a cross between Dropbox (where you can back up your files to the cloud) and Microsoft Office (for creating and editing documents). It’s all in your web browser and is really easy to learn and use.
You can upload any type of file to Drive and convert files to a Google document format: Docs (like Microsoft Word), Sheets (like Microsoft Excel), or Slides (like Microsoft PowerPoint).
How much cloud storage do you get? There are three levels of Google Workspace, and each has a different price/user and amount of Drive cloud storage:
12/31/2020: here's a link to their pricing page
Google Docs are intuitive collaboration and documentation tools. They are web-based and very similar to Microsoft Word, Excel and PowerPoint. You can convert many types of files into Google Docs formats:
And the answer is YES! Google Docs (with a paid Google Workspace subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google’s HIPAA Implementation Guide (linked at the end of this article).
Google’s BAA covers Google Drive and Docs, so these services are appropriate for storing PHI. Google’s HIPAA Implementation Guide recommends the following:
Yes, Google Drive and Docs are safe for storing medical records or confidential information, but only if they are configured correctly. Files in Google Drive and all file metadata (titles and comments) are encrypted. Learn more about Google’s Security focus here.
Yes! Google Drive and the rest of Google Workspace are very mobile-friendly. You can use Google Drive in a HIPAA-compliant manner if you use the Google Drive app on your smartphone or tablet AND you have Google Workspace configured properly.
Google Workspace subscriptions include a Mobile Device Management system which allows you to require screenlocks or passwords in addition to removing confidential data from devices as needed.
Google Workspace is perfect for smaller medical practices that need HIPAA-compliant email, cloud storage, telehealth and more - but what if you already have a solution for email and telehealth and you just need cloud storage? You might want to look at other options, just to see other offerings.
We have an article that quickly reviews 11 HIPAA-compliant cloud storage options.
One of the most popular cloud storage solutions is Dropbox. Here’s a quick comparison between Google Drive (as a part of Google Workspace, not the free version) and Dropbox:
| Google Drive | Dropbox | |
| Sign BAA? | Yes | Yes |
| Cost | - $6/user/month Basic- $12/user/month Business- $18/user/month Business Plus | - $19.99/month for 1 user- $15.00/user/month for 3 users |
| Storage | 30 GB - 5 TB/user depending on plan | 3-5 TB depending on plan |
| Two-step verification | Yes | Yes |
| Encryption at rest | Yes | Yes |
| Encryption in transit | Yes | Yes |
| Remote wipe* | Yes | Yes |
*in case a device is lost or stolen, it’s important to be able to remove files containing PHI
If you’re considering Google Drive, Dropbox or any other cloud storage solution, it’s important to review the actual features that you intend to use. We didn’t look at every feature of these solutions in our comparison, so be sure to check their websites for more information.
Most practitioners who want to use Google Drive in their practice want to use the entire Google Workspace service. You need to set up your Google Workspace account properly. Google strives to make services easy to use, collaborate, and share — which is great, but HIPAA requires you to limit sharing. You only want to share things with intended recipients!
What our clients say
Hi, So can you use Google Drive on its own, without Google Workspace or a BAA?
Sure, you can use it, but it wouldn't be HIPAA compliant if you did that.
Think of it this way -- Google is taking on a LOT of legal liability by signing a BAA with you, and allowing you to store medical information on their servers. That's why Google (and every other cloud-based service) requires both a contract in the form of a BAA that clearly defines who is responsible for what, and a paid service.
If you are to avoid putting PHI in titles of files, folders or team drives, what else would you name them? How would you separate files from 100 different patients if you can't name them by the patient's name or other identifying information?
Hey Jamie - great question. Let me preface this by saying that we're not lawyers, and you should run what I'm about to say past your HIPAA compliance attorney. This is JUST my opinion, not a statement of fact.
My personal opinion is that PHI happens when you combine information about who someone is (e.g., their name) with information about their health information (e.g., symptoms, treatments, insurance numbers, etc.). So my interpretation of Google's guidance is that it's OK to put a patient's name in the title of documents or folders, but you shouldn't put any information about their symptoms, care, health insurance numbers, etc.
If your attorney has a more stringent view of what defines PHI, then you could certainly create a coding system for patients. I know many doctor's offices use something like the combination of a patient's birthdate and the first three letters of their last name to create unique codes, so that may be something to explore as well.
Hope this is helpful!