Posted By HIPAA Journal on Jan 23, 2018
Share this article on:
Is Google Docs HIPAA compliant? Is it permitted to upload documents containing protected health information to Google Docs, or would that violate HIPAA Rules? In this post we will assess Google Docs and determine whether Google is a HIPAA compliant and whether it can be used safely and securely by HIPAA-covered entities and business associates for sharing PHI.
In order for Google Docs to be HIPAA compliant, stored data must be encrypted. Data must also be encrypted during uploading and downloading. We can confirm that Google uses 128-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers.
The Department of Health and Human Services has made it clear in recent guidance that cloud service providers are not – in the vast majority of cases – considered conduits, so the HIPAA Conduit Exception Rule does not apply. Instead, cloud service providers are classed as business associates, even if the service provider does not access data stored in customer accounts.
As a business associate, prior to the use of Google Docs for sharing or storing documents containing PHI, a business associate agreement must be obtained from Google. Many cloud companies offer BAA’s to covered entities, but it is important to check that a particular product is listed as covered by the BAA prior to use.
Google is willing to sign a BAA with G Suite enterprise customers. We have checked the terms of the BAA and Google Docs is specifically mentioned as part of Google Drive, and is covered by its BAA.
Google clearly states that healthcare organizations covered by HIPAA Rules must not use G Suite in connection with PHI until a business associate agreement has been obtained. Once that BAA has been obtained, Google is not liable for misuse of its service. It is the responsibility of the covered entity or business associate using the service to ensure that HIPAA Rules are followed. That means configuring access controls, amendment, and accounting in accordance with HIPAA Rules. Google offers a useful guide for HIPAA covered entities to help them configure G Suite correctly.
Our opinion is no software or cloud platform can be called HIPAA compliant. HIPAA compliance depends on how a service is used. That said, it is possible to use Google Docs without violating HIPAA Rules.
Before any documents containing PHI are uploaded to Google Docs, the covered entity or business associate must first obtain a signed business associate agreement from Google. Once that BAA has been obtained, staff that are required to use Google Docs must receive training on its use and should be made aware of the restrictions in place with respect to PHI.
Documents containing PHI must only be uploaded to accounts that are not publicly accessible, and permissions must be set to ensure only authorized individuals can access the documents/account. Any PHI included in files uploaded to Google Docs must be in the document itself, and not used in the file name.
Provided these precautions are taken, Google Docs is HIPAA compliant.