Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

Is Google Drive HIPAA Compliant in 2023?

Yes, you can use Google Drive in a HIPAA compliant environment, but only if you’re careful! That’s the quick answer. Read on to learn more!

Every day we hear from practitioners who want to use Google Workspace in their medical practice. Google Workspace is easy-to-use, affordable, and can be HIPAA compliant. Most people want Google Workspace for Gmail, but having access to Google Drive and Docs really makes the subscription cost worthwhile.

Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)

In this article you will learn:

  • What is Google Workspace?
  • Is Google Workspace HIPAA compliant?
  • How to sign a BAA with Google
  • What is Google Drive?
  • Is using Google Docs HIPAA compliant?
  • What’s the difference between Google Drive and Dropbox?
  • How do I make Google Drive HIPAA compliant?

What is Google Workspace and is it HIPAA Compliant?

Google Workspace is a collection of collaboration and productivity tools. You’re probably using some of these tools already: Gmail, Docs, Drive, Calendar, Meet and more.

G Suite HIPAA Setup Service

Google Workspace is a paid subscription service. If your email address ends with you are using Google’s free Gmail and apps, not Google Workspace.

What’s the difference between Google Workspace and free Gmail? Basically, the difference is having or at the end of your email address. You also get more cloud storage, phone/email support, additional security options and administrative controls with Google Workspace,.

You can use Google Workspace in a HIPAA compliant manner, but it is not HIPAA compliant right out of the box. Free Gmail/Google Apps cannot be HIPAA compliant since Google will not provide a BAA for free Gmail accounts. We have a bunch of articles about making Google Workspace HIPAA compliant:

Google’s Business Associate Agreement (BAA)

Google will provide a BAA for Google Workspace account holders. Need help finding it? Check out this help article:

Google’s BAA does not cover every service in Google Workspace. Protected Health Information (PHI) can be used in the following Google Workspace Apps: Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Chat, Hangouts Meet, Keep, Google Cloud Search, Google Voice (managed users only), Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.

Google Drive is included in that list! If you configure file sharing properly in Google Drive, it’s a great choice for HIPAA compliant cloud storage.

Google Drive HIPAA compliant

BAA does not mean HIPAA compliance

But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace/Google Drive HIPAA compliant.

Seriously – Google CLEARLY says

“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”

“PHI is allowed only in a subset of Google services.”

“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."

So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.

You need to make sure your account is secure.

What is Google Drive?

Google Drive is a secure, easy-to-use cloud storage solution. It’s very easy to create and share files and folders. This is great from a collaboration standpoint, but not great from a HIPAA-standpoint. This is why it’s imperative that you set up Google Drive correctly to avoid sharing documents with the wrong recipients!

Google Drive is kind of like a cross between Dropbox (where you can back up your files to the cloud) and Microsoft Office (for creating and editing documents).  It’s all in your web browser, and is really easy to learn and use.

You can upload any type of file to Drive and convert files to a Google document format: Docs (like Microsoft Word), Sheets (like Microsoft Excel) or Slides (like Microsoft PowerPoint).

How much cloud storage do you get? There are three levels of Google Workspace, and each has a different price/user and amounts of Drive cloud storage:

  • Basic $6/user/month, 30 GB cloud storage per user
  • Business $12/user/month, 2 TB cloud storage per user
  • Business Plus $18/user/month, 5 TB cloud storage per user
  • Enterprise contact Google for pricing, unlimited cloud storage

12/31/2020: here's a link to their pricing page: 

Is using Google Docs HIPAA Compliant?

Google Docs are intuitive collaboration and documentation tools. They are web-based and very similar to Microsoft Word, Excel and PowerPoint. You can convert many types of files into Google Docs formats:

  • Docs (word processing similar to Microsoft Word)
  • Sheets (spreadsheets similar to Microsoft Excel)
  • Slides (presentations similar to Microsoft PowerPoint)

And the answer is YES! Google Docs (with a paid Google Workspace subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google’s HIPAA Implementation Guide (linked at the end of this article).

HIPAA Services

Is Google Drive and Docs safe for confidential information or medical records?

Google’s BAA covers Google Drive and Docs, so these services are appropriate for storing PHI. Google’s HIPAA Implementation Guide recommends the following:

  • Avoid putting PHI in titles of files, folders or team drives
  • Set appropriate file sharing permissions
  • Review file sharing reports, especially to see which files are shared with external users
  • Consider disabling third-party applications

Yes, Google Drive and Docs is safe for storing medical records or confidential information, but only if it’s configured correctly. Files in Google Drive and all file metadata (titles and comments) are encrypted. Learn more about Google’s Security focus here:

Can I use Google Drive on my Smartphone or Tablet?

Yes! Google Drive and the rest of Google Workspace is very mobile friendly. You can use Google Drive in a HIPAA compliant manner if you use the Google Drive app on your smartphone or tablet AND you have Google Workspace configured properly.

Google Workspace subscriptions include a Mobile Device Management system which allows you to require screenlocks or passwords in addition to removing confidential data from devices as needed.

Google Drive vs. Dropbox

Google Workspace is perfect for smaller medical practices that need HIPAA compliant email, cloud storage, telehealth and more - but what if you already have a solution for email and telehealth and you just need cloud storage? You might want to look at other options, just to see other offerings.

We have an article that quickly reviews 11 HIPAA compliant cloud storage options:

One of the most popular cloud storage solutions is Dropbox. Here’s a quick comparison between Google Drive (as a part of Google Workspace, not the free version) and Dropbox:

Google Drive Dropbox
Sign BAA? Yes Yes
Cost  - $6/user/month Basic

- $12/user/month Business

- $18/user/month Business Plus

- $17/month for 1 user

- $12.50/user/month for 3 users

Storage 30 GB - 5 TB/user depending on plan 3-5 TB depending on plan
Two-step verification Yes Yes
Encryption at rest Yes Yes
Encryption in transit Yes Yes
Remote wipe* Yes Yes

*in case a device is lost or stolen, it’s important to be able to remove files containing PHI

If you’re considering Google Drive, Dropbox or any other cloud storage solution, it’s important to review the actual features that you intend to use. We didn’t look at every feature of these solutions in our comparison, so be sure to check their websites for more information.

How to make Google Drive HIPAA compliant

Most practitioners who want to use Google Drive in their practice want to use the entire Google Workspace service. You need to set up your Google Workspace account properly. Google strives to make services easy to use, collaborate and share — which is great, but HIPAA requires you to limit sharing. You only want to share things with intended recipients!

Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

4 comments on “Is Google Drive HIPAA Compliant in 2023?”

    1. Sure, you can use it, but it wouldn't be HIPAA compliant if you did that.

      Think of it this way -- Google is taking on a LOT of legal liability by signing a BAA with you, and allowing you to store medical information on their servers. That's why Google (and every other cloud-based service) requires both a contract in the form of a BAA that clearly defines who is responsible for what, and a paid service.

  1. If you are to avoid putting PHI in titles of files, folders or team drives, what else would you name them? How would you separate files from 100 different patients if you can't name them by the patient's name or other identifying information?

    1. Hey Jamie - great question. Let me preface this by saying that we're not lawyers, and you should run what I'm about to say past your HIPAA compliance attorney. This is JUST my opinion, not a statement of fact.

      My personal opinion is that PHI happens when you combine information about who someone is (e.g., their name) with information about their health information (e.g., symptoms, treatments, insurance numbers, etc.). So my interpretation of Google's guidance is that it's OK to put a patient's name in the title of documents or folders, but you shouldn't put any information about their symptoms, care, health insurance numbers, etc.

      If your attorney has a more stringent view of what defines PHI, then you could certainly create a coding system for patients. I know many doctor's offices use something like the combination of a patient's birthdate and the first three letters of their last name to create unique codes, so that may be something to explore as well.

      Hope this is helpful!


Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2023 Adelia Associates, LLC | All Rights Reserved