Is Google Drive HIPAA Compliant? How to Secure It for Healthcare

Google Drive can be HIPAA compliant, but only with a signed Business Associate Agreement and the right configuration. Adelia Risk audits Google Workspace tenants for healthcare organizations, and Google Drive sharing settings are one of the places where we find the most gaps. Practices storing medical records in Google Drive often do not realize how broadly those files can be shared until someone takes a closer look.

This guide covers what makes Google Drive HIPAA compliant, the specific settings you need to configure, and the mistakes we see healthcare organizations make with Drive, Docs, Sheets, and Slides. If you need the broader Google Workspace security picture, see our companion guide covering Gmail, Meet, Chat, and the rest of the Google Workspace environment.

The Quick Answer

Yes, Google Drive is HIPAA compliant if:

1. You have a paid Google Workspace subscription. Consumer Google accounts such as @gmail.com are outside this setup because Google does not offer the HIPAA BAA for consumer Gmail, nor does it offer the controls needed to be HIPAA-compliant.
2. You’ve signed Google’s Business Associate Agreement. The BAA is available in the Admin Console under Account > Account Settings > Legal and Compliance. It takes about two minutes.
3. You’ve configured Drive’s sharing and security settings. This is where most practices fall short. The BAA is the legal foundation. Configuration is what actually protects patient data.

Google’s HIPAA Included Functionality covers Drive and the related Workspace tools used inside it, including Docs, Sheets, Slides, Forms, and Vids. Google also states that file content and metadata are encrypted in transit and at rest on its infrastructure.

Google is also clear about where its responsibility ends. Its own HIPAA guidance makes two points that matter here:

“Customers are responsible for ensuring that they use Google services in compliance with HIPAA.”

“These Google covered services must be configured by IT administrators to help ensure that PHI is properly protected.”

What Makes Google Drive Risky for PHI

Google built Drive for collaboration. Easy sharing is a feature. For healthcare organizations, easy sharing is a liability.

A medical office moves to Google Workspace. The admin signs the BAA, sets up email, and leaves the Drive defaults alone.

An office manager creates a shared spreadsheet to track patient referrals. A billing specialist shares an insurance form with “anyone with the link.” A provider uploads scanned intake forms to a folder that’s shared across the organization, including staff who don’t need access to those records.

None of these people did anything malicious. The system just made it easy to put PHI in places it shouldn’t be.

HIPAA’s Security Rule requires access controls that limit ePHI access to authorized persons (45 CFR 164.312(a)(1)). Drive’s defaults do not enforce that on their own. Your team has to set the controls.

The financial consequences are real. HIPAA penalties for configuration failures start at $10,000 per violation and can reach $50,000 for willful neglect, with an annual cap of $1.5 million per category. A misconfigured sharing setting that exposes a spreadsheet of patient records is a reportable breach, not a hypothetical.

The Settings That Matter Most

Restrict External Sharing

This is the single most important setting for Google Drive HIPAA compliance. It controls whether users can share files with people outside your organization.

With external sharing set to “Anyone with the link,” a single user can make a file containing patient data accessible to the entire internet. No password. No sign-in. Just a URL.

What to do: In the Admin Console, go to Apps > Google Workspace > Drive and Docs > Sharing settings. Set external sharing to one of:

• Off: No external sharing at all
• Allowlisted domains only: Users can share with specific trusted organizations
• Signed-in users only: External recipients must sign in with a Google account

For organizational units that handle PHI directly (clinical, billing, records), we recommend “Off” or “Allowlisted domains only.” For administrative staff who need to share with external partners, “Signed-in users only” is a workable middle ground.

For detailed Admin Console paths and step-by-step guidance, see Adelia Risk’s Google Drive and Docs Security Settings guide.

Disable “Publish to the Web”

“Publish to the web” creates a genuinely public URL. Search engines can find and index published files. The published version auto-updates when the original changes.

A spreadsheet with patient names and appointment dates that gets published by mistake can stay visible until someone catches it and takes it down.

Turn this off for the entire organization. In a healthcare environment, there is rarely a good reason to publish internal files to the open internet.

Configure DLP Rules for Drive

Data Loss Prevention (DLP) rules scan files in Drive for sensitive content patterns. You can configure rules to detect common PHI patterns:

• Patient names combined with medical record numbers
• Social Security numbers
• Insurance ID numbers
• Diagnosis codes (ICD-10)
• Common health-related terms combined with identifying information

DLP will not catch everything, but it does help with the accidental exposures that happen when someone shares the wrong file or stores sensitive information in the wrong place. Start in “warn only” mode, review what it flags, and tighten the rules from there.

Most healthcare organizations we audit haven’t set up Drive DLP at all, even when they have email DLP configured. Drive DLP is a separate setting. Email rules don’t carry over.

Watch out for third-party add-ons too. PDF converters, e-signature tools, and other Marketplace apps your staff connect to Drive sit outside Google’s BAA. If one of those tools touches ePHI, that vendor needs its own review and, where appropriate, its own BAA.

Lock Down Shared Drives

Shared Drives (formerly Team Drives) hold your organization’s files in a shared space. They often contain the most sensitive data because that’s where teams collaborate on patient records, billing, and operations.

The HIPAA minimum necessary standard means staff should only have access to the Shared Drives they need for their role. Review these settings:

• Who can create Shared Drives: Restrict to admins or specific roles
• Whether members can override sharing settings: Turn this off for drives containing PHI
• Whether non-members can access individual files: Turn this off
• Whether files can be downloaded, copied, or printed: Consider restricting for PHI-containing drives

Control Desktop Sync

Desktop sync is one of the most overlooked risks in a Google Drive HIPAA compliance review. Google Drive for Desktop syncs files to local computers. Once synced, those files exist on the local hard drive outside of Google’s access controls, DLP, and sharing restrictions.

If a laptop with synced ePHI files is lost or stolen, the outcome depends heavily on whether the device was encrypted in a way that meets HHS guidance. A properly encrypted device can fall within HIPAA’s safe-harbor framework, while an unencrypted one creates a much harder breach-notification problem.

Options:

• Disable Drive for Desktop entirely. This is usually the cleanest option in higher-security environments.
• Restrict to streaming mode so files stay in the cloud instead of being stored locally.
• Require device encryption through Google’s mobile device management

Set the Access Checker Default

When users share a file by link, Google presents a default audience. If the default is “anyone with the link,” most users will accept that default without thinking. Set the Access Checker default to “recipients only” so users start from the safest option.

Are Google Docs HIPAA Compliant?

Yes. Google Docs, Sheets, Slides, and Forms are all part of Google Drive and covered under the BAA. The same sharing and DLP decisions you make for Drive also carry over to Docs.

A few things to watch:

File titles. Google’s HIPAA Implementation Guide recommends avoiding PHI in file and folder titles. Titles show up in search results, shared links, and activity logs. “John Smith Lab Results March 2026” is PHI in a title. “Lab Results 03-2026” is not.

Comments and suggestions. Comments on Google Docs are visible to anyone with access to the file. If clinical staff discuss patient details in doc comments, those comments contain PHI. Make sure commenting access matches the file’s sensitivity level.

Version history. Google Docs keeps a detailed version history. If PHI appears in an earlier version of a document, editing it out later does not automatically solve the problem. Version history can still preserve that information for people with the right level of access.

Google Drive vs. Other HIPAA-Compliant Storage

Healthcare organizations sometimes ask how Drive compares to Dropbox, OneDrive, or Box for HIPAA compliance. All four will sign a BAA. The compliance differences come down to configuration, rather than the platform itself.

For teams already on Google Workspace, Drive’s main advantage is operational simplicity. File storage, email, chat, and meetings sit inside the same admin environment, which makes policy, visibility, and access management easier to keep aligned.

The disadvantage is the same one that makes Drive risky: it’s built for easy collaboration, and the defaults reflect that. Any of these platforms can be HIPAA-compliant if configured correctly. None of them are compliant with default settings.

What to Do Next

If you’re running Google Workspace in a healthcare organization and storing PHI in Drive, work through these steps:

1. Verify your BAA is signed. Admin Console > Account > Account Settings > Legal and Compliance.
2. Restrict external sharing. This is the highest-impact change you can make.
3. Disable “Publish to the web.”
4. Set up Drive DLP rules for common PHI patterns.
5. Review Shared Drive membership and settings for drives that contain patient data.
6. Decide on a desktop sync policy and enforce it.
7. Enforce two-step verification for all accounts. A compromised account with Drive access puts every file that a user can reach at risk.
8. Train staff on Drive sharing practices. Even with the right settings, users need to understand why they shouldn’t share files externally, put PHI in file titles, or install unapproved add-ons.

That covers the high-priority items. If you want to go deeper, we have two resources:

For a fuller walkthrough of all Drive security settings with Admin Console paths and common mistakes, see Adelia Risk’s Google Drive and Docs Security Settings guide.

For the broader picture covering Gmail, Meet, Chat, and all other Google Workspace products, see our Google Workspace HIPAA Compliance Guide.

Beyond the Checklist

Configuring Drive is one piece of making your Google Workspace HIPAA-compliant. If you’d like a professional review of your entire Workspace tenant against HIPAA requirements, Adelia Risk’s Google Workspace HIPAA compliance audit covers all 96 settings, validates your BAA, tests your DLP rules, and reviews the documentation your auditor will ask for.

Have a question about a specific Drive setting? We’re happy to help, even if you’re handling configuration yourself.