Is Google Drive HIPAA Compliant in 2020? (2024)

Yes, you can use Google Drive in a HIPAA compliant environment, but only if you’re careful! That’s the quick answer. Read on to learn more!

Every day we hear from practitioners who want to use Google Workspace in their medical practice. Google Workspace is easy-to-use, affordable, and can be HIPAA compliant. Most people want Google Workspace for Gmail, but having access to Google Drive and Docs really makes the subscription cost worthwhile.

Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)

In this article you will learn:

• What is Google Workspace?
• Is Google Workspace HIPAA compliant?
• How to sign a BAA with Google
• What is Google Drive?
• Is using Google Docs HIPAA compliant?
• What’s the difference between Google Drive and Dropbox?
• How do I make Google Drive HIPAA compliant?

What is Google Workspace and is it HIPAA Compliant?

Google Workspace is a collection of collaboration and productivity tools. You’re probably using some of these tools already: Gmail, Docs, Drive, Calendar, Meet and more.

Google Workspace is a paid subscription service. If your email address ends with @gmail.com you are using Google’s free Gmail and apps, not Google Workspace.

What’s the difference between Google Workspace and free Gmail? Basically, the difference is having @gmail.com or @yourcompany.com at the end of your email address. You also get more cloud storage, phone/email support, additional security options and administrative controls with Google Workspace,.

You can use Google Workspace in a HIPAA compliant manner, but it is not HIPAA compliant right out of the box. Free Gmail/Google Apps cannot be HIPAA compliant since Google will not provide a BAA for free Gmail accounts. We have a bunch of articles about making Google Workspace HIPAA compliant:

• HIPAA Compliant Gmail (17 Step How-To Guide for 2023)
• Is Google Workspace HIPAA Compliant?
• 5 Ways to Make Google Workspace HIPAA Compliant
• Is Gmail Encryption HIPAA Compliant?

Google’s Business Associate Agreement (BAA)

Google will provide a BAA for Google Workspace account holders. Need help finding it? Check out this help article: https://support.google.com/a/answer/3407074?hl=en

Google’s BAA does not cover every service in Google Workspace. Protected Health Information (PHI) can be used in the following Google Workspace Apps: Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Chat, Hangouts Meet, Keep, Google Cloud Search, Google Voice (managed users only), Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.

Google Drive is included in that list! If you configure file sharing properly in Google Drive, it’s a great choice for HIPAA compliant cloud storage.

BAA does not mean HIPAA compliance

But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace/Google Drive HIPAA compliant.

Seriously – Google CLEARLY says

“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”

“PHI is allowed only in a subset of Google services.”

“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."

So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.

You need to make sure your account is secure.

What is Google Drive?

Google Drive is a secure, easy-to-use cloud storage solution. It’s very easy to create and share files and folders. This is great from a collaboration standpoint, but not great from a HIPAA-standpoint. This is why it’s imperative that you set up Google Drive correctly to avoid sharing documents with the wrong recipients!

Google Drive is kind of like a cross between Dropbox (where you can back up your files to the cloud) and Microsoft Office (for creating and editing documents). It’s all in your web browser, and is really easy to learn and use.

You can upload any type of file to Drive and convert files to a Google document format: Docs (like Microsoft Word), Sheets (like Microsoft Excel) or Slides (like Microsoft PowerPoint).

How much cloud storage do you get? There are three levels of Google Workspace, and each has a different price/user and amounts of Drive cloud storage:

• Basic $6/user/month, 30 GB cloud storage per user
• Business $12/user/month, 2 TB cloud storage per user
• Business Plus $18/user/month, 5 TB cloud storage per user
• Enterprise contact Google for pricing, unlimited cloud storage

12/31/2020: here's a link to their pricing page: https://workspace.google.com/pricing.html

Is using Google Docs HIPAA Compliant?

Google Docs are intuitive collaboration and documentation tools. They are web-based and very similar to Microsoft Word, Excel and PowerPoint. You can convert many types of files into Google Docs formats:

• Docs (word processing similar to Microsoft Word)
• Sheets (spreadsheets similar to Microsoft Excel)
• Slides (presentations similar to Microsoft PowerPoint)

And the answer is YES! Google Docs (with a paid Google Workspace subscription, signed BAA and appropriately configured settings) can be HIPAA compliant. They clearly state this in Google’s HIPAA Implementation Guide (linked at the end of this article).

Is Google Drive and Docs safe for confidential information or medical records?

Google’s BAA covers Google Drive and Docs, so these services are appropriate for storing PHI. Google’s HIPAA Implementation Guide recommends the following:

• Avoid putting PHI in titles of files, folders or team drives
• Set appropriate file sharing permissions
• Review file sharing reports, especially to see which files are shared with external users
• Consider disabling third-party applications

Yes, Google Drive and Docs is safe for storing medical records or confidential information, but only if it’s configured correctly. Files in Google Drive and all file metadata (titles and comments) are encrypted. Learn more about Google’s Security focus here: https://support.google.com/googlecloud/answer/6056693?hl=en&visit_id=637275245913296513-3573186912&rd=1

Can I use Google Drive on my Smartphone or Tablet?

Yes! Google Drive and the rest of Google Workspace is very mobile friendly. You can use Google Drive in a HIPAA compliant manner if you use the Google Drive app on your smartphone or tablet AND you have Google Workspace configured properly.

Google Workspace subscriptions include a Mobile Device Management system which allows you to require screenlocks or passwords in addition to removing confidential data from devices as needed.

Google Drive vs. Dropbox

Google Workspace is perfect for smaller medical practices that need HIPAA compliant email, cloud storage, telehealth and more - but what if you already have a solution for email and telehealth and you just need cloud storage? You might want to look at other options, just to see other offerings.

We have an article that quickly reviews 11 HIPAA compliant cloud storage options: https://adeliarisk.com/hipaa-compliant-cloud-storage/

One of the most popular cloud storage solutions is Dropbox. Here’s a quick comparison between Google Drive (as a part of Google Workspace, not the free version) and Dropbox:

*in case a device is lost or stolen, it’s important to be able to remove files containing PHI

If you’re considering Google Drive, Dropbox or any other cloud storage solution, it’s important to review the actual features that you intend to use. We didn’t look at every feature of these solutions in our comparison, so be sure to check their websites for more information.

How to make Google Drive HIPAA compliant

Most practitioners who want to use Google Drive in their practice want to use the entire Google Workspace service. You need to set up your Google Workspace account properly. Google strives to make services easy to use, collaborate and share — which is great, but HIPAA requires you to limit sharing. You only want to share things with intended recipients!

Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)

Talk to us!

Have questions or feedback? Please share them in the comments below.

Like this article? Share it!