Yes, you can use Google Drive in a HIPAA compliant environment, but only if you’re careful! That’s the quick answer. Read on to learn more!
Every day we hear from practitioners who want to use Google Workspace in their medical practice. Google Workspace is easy-to-use, affordable, and can be HIPAA compliant. Most people want Google Workspace for Gmail, but having access to Google Drive and Docs really makes the subscription cost worthwhile.
In this article you will learn:
Google Workspace is a collection of collaboration and productivity tools. You’re probably using some of these tools already: Gmail, Docs, Drive, Calendar, Meet and more.
Google Workspace is a paid subscription service. If your email address ends with @gmail.com you are using Google’s free Gmail and apps, not Google Workspace.
What’s the difference between Google Workspace and free Gmail? Basically, the difference is having @gmail.com or @yourcompany.com at the end of your email address. You also get more cloud storage, phone/email support, additional security options and administrative controls with Google Workspace,.
You can use Google Workspace in a HIPAA compliant manner, but it is not HIPAA compliant right out of the box. Free Gmail/Google Apps cannot be HIPAA compliant since Google will not provide a BAA for free Gmail accounts. We have a bunch of articles about making Google Workspace HIPAA compliant:
Google will provide a BAA for Google Workspace account holders. Need help finding it? Check out this help article: https://support.google.com/a/answer/3407074?hl=en
Google’s BAA does not cover every service in Google Workspace. Protected Health Information (PHI) can be used in the following Google Workspace Apps: Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Chat, Hangouts Meet, Keep, Google Cloud Search, Google Voice (managed users only), Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.
Google Drive is included in that list! If you configure file sharing properly in Google Drive, it’s a great choice for HIPAA compliant cloud storage.
But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace/Google Drive HIPAA compliant.
Seriously – Google CLEARLY says
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure.
Google Drive is a secure, easy-to-use cloud storage solution. It’s very easy to create and share files and folders. This is great from a collaboration standpoint, but not great from a HIPAA-standpoint. This is why it’s imperative that you set up Google Drive correctly to avoid sharing documents with the wrong recipients!
Google Drive is kind of like a cross between Dropbox (where you can back up your files to the cloud) and Microsoft Office (for creating and editing documents). It’s all in your web browser, and is really easy to learn and use.
You can upload any type of file to Drive and convert files to a Google document format: Docs (like Microsoft Word), Sheets (like Microsoft Excel) or Slides (like Microsoft PowerPoint).
How much cloud storage do you get? There are three levels of Google Workspace, and each has a different price/user and amounts of Drive cloud storage:
12/31/2020: here's a link to their pricing page: https://workspace.google.com/pricing.html
Google Docs are intuitive collaboration and documentation tools. They are web-based and very similar to Microsoft Word, Excel and PowerPoint. You can convert many types of files into Google Docs formats:
And the answer is YES! Google Docs (with a paid Google Workspace subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google’s HIPAA Implementation Guide (linked at the end of this article).
Google’s BAA covers Google Drive and Docs, so these services are appropriate for storing PHI. Google’s HIPAA Implementation Guide recommends the following:
Yes, Google Drive and Docs is safe for storing medical records or confidential information, but only if it’s configured correctly. Files in Google Drive and all file metadata (titles and comments) are encrypted. Learn more about Google’s Security focus here: https://support.google.com/googlecloud/answer/6056693?hl=en&visit_id=637275245913296513-3573186912&rd=1
Yes! Google Drive and the rest of Google Workspace is very mobile friendly. You can use Google Drive in a HIPAA compliant manner if you use the Google Drive app on your smartphone or tablet AND you have Google Workspace configured properly.
Google Workspace subscriptions include a Mobile Device Management system which allows you to require screenlocks or passwords in addition to removing confidential data from devices as needed.
Google Workspace is perfect for smaller medical practices that need HIPAA compliant email, cloud storage, telehealth and more - but what if you already have a solution for email and telehealth and you just need cloud storage? You might want to look at other options, just to see other offerings.
We have an article that quickly reviews 11 HIPAA compliant cloud storage options: https://adeliarisk.com/hipaa-compliant-cloud-storage/
One of the most popular cloud storage solutions is Dropbox. Here’s a quick comparison between Google Drive (as a part of Google Workspace, not the free version) and Dropbox:
|Cost||- $6/user/month Basic
- $12/user/month Business
- $18/user/month Business Plus
|- $17/month for 1 user
- $12.50/user/month for 3 users
|Storage||30 GB - 5 TB/user depending on plan||3-5 TB depending on plan|
|Encryption at rest||Yes||Yes|
|Encryption in transit||Yes||Yes|
*in case a device is lost or stolen, it’s important to be able to remove files containing PHI
If you’re considering Google Drive, Dropbox or any other cloud storage solution, it’s important to review the actual features that you intend to use. We didn’t look at every feature of these solutions in our comparison, so be sure to check their websites for more information.
Most practitioners who want to use Google Drive in their practice want to use the entire Google Workspace service. You need to set up your Google Workspace account properly. Google strives to make services easy to use, collaborate and share — which is great, but HIPAA requires you to limit sharing. You only want to share things with intended recipients!
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!