Yes, Google Drive can be used as part of a secure HIPAA compliance program. You can store documents containing PHI on Google Drive if the proper security controls in place. In this post, we will highlight what to consider when storing critical patient information on Google Drive.
Encrypt the Documents Your Store on Google Drive
Files containing PHI stored on Google Drive should be encrypted before being uploaded. We can recommend several options that allow you to manage encryption keys in order to meet HIPAA requirements.
Manual Encryption Options
- Good no-cost software for manually encrypting your files include VeraCrypt and DiskCryptor.
- Pay services like AxCrypt have even more features to help you manage encrypted file access including robust key sharing features, password management, backup keys, mobile support, file wiping and more.
Encryption Key Management
- G Suite’s Business and Enterprise editions offer the ability to deploy and monitor security keys for your organization.
- Be wary of encrypting your PHI using any service that does not allow you to manage your own encryption keys. If there is no BAA in place with your vendor, they should not be in charge of managing your encryption keys.
Contact us if you have questions about integrating encryption software into your established procedures.
User Permission and Activity Monitoring
Before storing PHI on Google Drive, administrators must properly configure permissions to specify:
- What directories and files can be accessed by what users
- What files can be shared with what users
- Which users can share files with other users
User activity and file version updates should be periodically reviewed to identify any unauthorized user access and to ensure that the file permission settings are correctly assigned.