As more businesses embrace digital transformation, more are adopting cloud technologies because of the cloud’s cost-effectiveness and ease of use. One of the most popular cloud technologies available today is Google Drive.
Google Drive is a cloud storage and file-sharing tool within Google Workspace. Formerly known as G Suite, Google Workspace is a cloud platform businesses can use for administrative tasks, communication, and collaboration. Common Google apps include Gmail, Google Calendar, Google Docs, Sheets, Hangouts, and more.
For many businesses, however, compliance is as substantial as cost and efficiency and must be considered with any cloud services they adopt.
The Health Insurance Portability and Accountability Act (HIPAA) is a compliance standard that affects every business in the healthcare industry, its covered entities, and any other organization that handles Protected Health Information (PHI).
HIPAA compliance specifies how businesses handle, store, and share healthcare records and other medical data. Therefore, any business that must be HIPAA compliant must also understand whether using Google Drive will affect its compliance standing before the business begins using it.
Is Google Drive HIPAA compliant?
Out of the box, Google Drive is not HIPAA compliant—but you can set it up to achieve the HIPAA storage requirement with the following conditions:
- A paid Google services account.
- A signed Business Associate Agreement (BAA) with Google.
- A configured Google Drive to support HIPAA compliance requirements.
Because Google Drive is one of many services included in a Google Workspace account, you must address compliance for the entire platform before attending to Drive and its file types (Docs, Sheets, Slides, and Forms).
How can I make Google Workspace HIPAA compliant?
As stated, only paid versions of Google Workspace can achieve HIPAA compliance. So, you must first purchase a paid account.
Next, you must sign a BAA with your Google Cloud sales rep. Once you’ve done that, you can configure your Google Workspace for compliance requirements by turning off any applications that can’t be made compliant.
Which Google add-ons are compliant services?
Through the BAA, Google states which of its included services are HIPAA-compliant. Therefore, any service not included in this list should be considered non-compliant:
- Gmail
- Calendar
- Drive (including Docs, Sheets, Slides, and Forms)
- Apps Script
- Keep
- Sites
- Jamboard
- Google Chat
- Google Meet
- Google Voice (managed users only)
- Google Cloud Search
- Cloud Identity Management
- Google Groups
- Google Tasks
- Vault (if applicable)
- AppSheet
Google has provided a guide explaining how to turn off any additional services to achieve HIPAA compliance.
Once you’ve configured Google Workspace for compliance, healthcare organizations can begin to configure Google Drive to protect sensitive data.
Is Google Drive a HIPAA-compliant Cloud Storage Service?
Not initially, no.
As with Google Workspace, however, you can take steps to store PHI safely within Drive.
Additionally, your team must understand that no PHI can be used to name title files, folders, or Team Drives. Furthermore, if files stored within Google Drive are shared through third-party apps outside of compliant G Suite apps, this would indicate a HIPAA violation.
What are the HIPAA requirements for Google Drive?
Your administrator is responsible for ensuring that your Google Drive configuration is sufficient to protect PHI. The proper configuration depends on carefully setting user permissions and visibility settings.
The following list will act as a HIPAA implementation guide as you program your Google Drive settings.
- Implement a cloud identity management program (password requirements, two-factor authentication, and so forth).
- Synch the appropriate user permissions from the admin console for viewing, downloading, copying, or printing files within Google Drive.
- Prohibit functionality that allows employees to share PHI outside of complaint Google Workspace apps.
- Prohibit users’ ability to share files with people outside of the organization. You can learn how to change this setting here.
- Change the default visibility for all Google Drive files to “private” to enhance data protection.
- Limit content sharing even within Google Drive and Team Drives to retain greater access control.
- Do not allow external partners access to your Google Drive.
- Use file exposure reporting to understand how team members use files and as an audit against suspicious activity.
- Disable users’ ability to install third-party apps independently.
- If your organization requires employees to access PHI only through on-premise, secured servers, then prohibit their ability to use Google apps via mobile devices or while offline.
Google’s Business Associate Agreement (BAA): What is it and How Can it Help?
A Business Partner Agreement (BAA) is a legally mandated written agreement between a covered entity and a business partner. If your company uses Google services to store, handle, or process Protected Health Information (PHI), you must have a Business Associate Agreement (BAA) with Google.
A Google Apps for Business, Education, or Government account is required for users to obtain a HIPAA BAA. This is a paid service that companies may utilize by contracting with Google.
This group excludes the free version, which is usual for personal email accounts. Google will only sign a BAA with premium customers if a systems administrator requests it. You can find the information regarding the Google BAA here.
How ZenGRC Can Help Monitor and Enforce HIPAA Compliance on Google Drive
ZenGRC can automatically gather your Google Drive audit trail evidence and let you know when something is missing or incomplete.
ZenGRC, one of the world’s most trusted compliance tools, provides a central, automated platform that integrates with your business applications and processes.
It then takes evidence collection to the next level by conducting an audit trail of documentation from all the business applications you use for evidence to satisfy auditors and regulators—so you don’t have to.
With a Google Drive protected by ZenGRC, you can streamline your workflows, automatically gather and distribute data, and continuously monitor your apps to identify, assess, and mitigate real-time risks.
Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you enforce compliance within Google Workspace by booking a demo today.
Thank you for subscribing to the Risk Insiders newsletter!
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.