As more businesses embrace digital transformation, more are adopting cloud technologies because of the cloud’s cost-effectiveness and ease of use. One of the most popular cloud technologies available today is Google Drive.
Google Drive is a cloud storage and file-sharing tool within Google Workspace. Formerly known as G Suite, Google Workspace is a cloud platform that businesses can use for administrative tasks, communication, and collaboration. Common Google apps include Gmail, Google Calendar, Google Docs, Sheets, Hangouts, and more.
For many businesses, however, compliance is just as important as cost and efficiency and must be considered in conjunction with any cloud services they might adopt.
The Health Insurance Portability and Accountability Act (HIPAA) is a compliance standard that affects every business in the healthcare industry, its covered entities, and any other organization that handles protected health information (PHI).
HIPAA compliance specifies how businesses may handle, store, and share healthcare records and other medical data. Therefore, any business that must be HIPAA compliant must also understand whether using Google Drive will affect its compliance standing before the business begins using it.
Is Google Drive HIPAA compliant?
Out of the box, Google Drive is not HIPAA compliant—but compliance can be obtained when certain conditions are met.
- You have a paid Google services account.
- You’ve signed a Business Associate Agreement (BAA) with Google.
- You’ve configured your Google Drive settings to support HIPAA compliance requirements.
Because Google Drive is one of many services included in a Google Workspace account, you must address compliance for the entire platform before attending to Drive and its file types (Docs, Sheets, Slides, and Forms).
How can I make Google Workspace HIPAA compliant?
As stated previously, only paid versions of Google Workspace can achieve HIPAA compliance. So you must first purchase a paid account.
Next, you must sign a BAA with your Google Cloud sales rep. Once you’ve done that, you can then begin to configure your Google Workspace for compliance requirements by turning off any applications that can’t be made compliant.
Which Google add-ons aren’t compliant services?
Tools that cannot achieve HIPAA compliance include:
- Google Contacts
- Google+
- YouTube
- Blogger
- Google Photos
Google has provided a guide that explains how these additional services can be turned off to be HIPAA-compliant.
Once you’ve configured Google Workspace, as a whole, for compliance, healthcare organizations can then begin to configure Google Drive to protect sensitive data.
Is Google Drive HIPAA-compliant cloud storage?
Not initially, no.
As with Google Workspace, however, you can take steps to store PHI safely within Drive.
Additionally, it is important that your team understand that no PHI can be used to name title files, folders, or Team Drives. Furthermore, if files stored within Google Drive are shared through third-party apps outside of compliant G Suite apps, this would indicate a HIPAA violation.
What are the HIPAA requirements for Google Drive?
Your administrator is responsible for ensuring that your Google Drive configuration is sufficient to protect PHI. The proper configuration depends on carefully setting user permissions and visibility settings.
The following list will act as a HIPAA implementation guide as you program your Google Drive settings.
- Implement a cloud identity management program (password requirements, two-factor authentication, and so forth).
- Synch the appropriate user permissions for viewing, downloading, copying, or printing files within Google Drive from the admin console.
- Prohibit functionality that allows employees to share PHI outside of complaint Google Workspace apps.
- Prohibit users’ ability to share files with people outside of the organization. You can learn how to change this setting here.
- Change the default visibility for all Google Drive files to “private” to enhance data protection.
- Limit content sharing even within Google Drive and Team Drives to retain greater access control.
- Do not allow external partners access to your Google Drive.
- Use file exposure reporting to understand how team members are using files and as an audit against suspicious activity.
- Disable users’ ability to install third-party apps independently.
- If your organization requires employees to access PHI only through on-premise, secured servers, then prohibit their ability to use Google apps via mobile devices or while offline.
What tools can help to monitor and enforce compliance in Google Drive?
ZenGRC’s ZenConnect connector for Google Drive can gather your Google Drive audit-trail evidence automatically and let you know when something is missing or incomplete.
ZenGRC, one of the world’s most trusted tools in compliance, gives you a central, automated platform that integrates with your business applications and processes.
ZenConnect then takes evidence collection to the next level by conducting an audit trail of documentation from all the business applications you use for evidence to satisfy auditors and regulators—so you don’t have to.
With a Google Drive protected by ZenGRC, you can streamline your workflows, automatically gather and distribute data, and continuously monitor your apps to identify, assess, and mitigate risks in real-time.
Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you enforce compliance within Google Workspace by booking a demo today.