Yes, Google Drive can be used as part of a secure HIPAA compliance program. You can store documents containing PHI on Google Drive if the proper security controls in place. We will highlight what to consider when storing critical patient information on Google Drive.
Encrypt the Documents Your Store on Google Drive
Files containing PHI stored on Google Drive should be encrypted before being uploaded. We can recommend several options that allow you to manage encryption keys in order to meet HIPAA requirements.
Manual Encryption Options
Good no-cost software for manually encrypting your files include VeraCrypt and DiskCryptor. Paid for services like AxCrypt have even more features to help you manage encrypted file access including robust key sharing features, password management, backup keys, mobile support, file wiping and more.
Google’s Built-In Encryption Options
G Suite’s Business and Enterprise editions offer the ability to deploy and monitor security keys for your organization, if you would prefer to setup these services available through Google. Be wary of encrypting your PHI using any service that does not allow you to manage your own encryption keys, you may need to sign establish a BAA first.
Contact us if you have questions about integrating encryption software into your established procedures.
User Permission and Activity Monitoring
Before storing PHI on Google Drive, administrators must properly configure permissions including what files can be shared with what users, and which users can share files with other users. User activity and file version updates should be periodically reviewed to identify any unauthorized user access and to ensure that the file permission settings are correctly assigned.