Yes, Google Drive can be HIPAA compliant. You can store documents containing PHI (Protected Health Information) on Google Drive if the proper security controls are in place. In this post, we will highlight what to consider when storing critical patient information on Google Drive.
Encrypt the Documents You Store on Google Drive
Files containing PHI stored on Google Drive should be encrypted before being uploaded. We can recommend several options that allow you to manage encryption keys in Google Drive in order to meet HIPAA compliance requirements.
Manual Encryption Options
- Good, no-cost software for manually encrypting your files include VeraCrypt and DiskCryptor.
- Pay services like AxCrypt have even more features to help you manage encrypted file access including robust key sharing features, password management, backup keys, mobile support, file wiping and more.
Encryption Key Management
- G Suite’s Business and Enterprise editions offer the ability to deploy and monitor security keys for your organization.
- Be wary of encrypting your PHI using any service that does not allow you to manage your own encryption keys. If there is no BAA in place with your vendor, they should not be in charge of managing your encryption keys.
Contact us if you have questions about integrating encryption software into your established procedures.
User Permission and Activity Monitoring
Before storing PHI on Google Drive, administrators must properly configure permissions to specify:
- What directories and files can be accessed by what users
- What files can be shared with what users
- Which users can share files with other users
User activity and file version updates should be periodically reviewed to identify any unauthorized user access and to ensure that the file permission settings are correctly assigned.
Will Google Sign a Business Associate Agreement?
Google provides official instructions titled Accept the HIPAA Business Associate Amendment that G Suite administrators can use to review and accept a HIPAA Business Associate Agreement (BAA). You will be guided through the process of accepting your BAA in 5 easy steps.
Takeaways
- Google Drive can be HIPAA compliant with proper file encryption and administrative security
- Google will sign a Business Associate Agreement (BAA)
- Check out our blog for more guidance on Choosing HIPAA Compliant Software
Are you unsure if Google Drive is the right file storage platform to support your healthcare services?
Gazelle Consulting is here to help! Call us today at (503) 389-5666, email us at info@gazelleconsulting.org, or contact us here. We can answer all of your HIPAA compliance questions and help you feel as confident as a lion in a grassy savanna.