Google is one of the biggest companies in the world, receiving about 63,000 searches per second on any given day. But search is just one of Google’s numerous products, many of which are free for personal use. It’s hard to find people who don’t use Google software daily.
Google’s popularity makes it an appealing option for healthcare providers. They have the opportunity to use a familiar app, which gives users a low barrier to entry. The tricky part is that healthcare providers have to consider the privacy and security features of any technology that will access electronic protected health information (ePHI). Is Google Drive HIPAA compliant?
The answer is yes, Google Drive is HIPAA compliant, if it’s used correctly. What do we mean by that?
HIPAA-compliant software is only as good as your internal security practices
Imagine your team has just purchased new HIPAA-compliant form software, but after entering a new patient’s information, the administrator walks away from the computer without logging off. Although the software is technically compliant, bad practices have put your organization at risk for a HIPAA violation.
That example illustrates how a lack of training can put an organization at risk even when their technology is HIPAA compliant. Organizations that want to keep their data safe and avoid legal repercussions need to ensure both their technology and employee practices are HIPAA compliant. You can read more about how to ensure your organization is HIPAA compliant here.
What if your security practices are solid? What do you have to do to use Google Drive in a HIPAA-compliant manner?
Keeping PHI secure while using Google Drive
Apart from ensuring that your organization is practicing HIPAA-compliant procedures, follow a few steps to ensure you’re using Google Drive in a HIPAA-compliant way. Google provides documentation of HIPAA compliance and implementation, but we’ll break it down here too.
- Enter a business associate agreement (BAA). The first thing you must do to make Google Drive compliant is enter into a BAA with Google. A BAA is required when working with any technology or vendor that will have access to your PHI. Google mentions that this agreement doesn’t allow HIPAA-compliant usage of all of their services but does include services like Google Drive, Gmail, and Google Calendar.
- Turn off file sharing. With Google Drive, admins have control over how employees can share documents. They can restrict the ability to share files outside of the domain and set the default visibility to private. Admins can control file sharing at an organizational level, all the way down to the folder level. This helps admins ensure the wrong people can’t access files.
- Beware of third-party plug-ins. Third-party plug-ins can pose additional security risks, so Google recommends that admins consider disabling them. If you need a plug-in, you must enter into a BAA with that organization to remain HIPAA compliant.
- Regularly review how employees share information. Just because everyone buys into being secure doesn’t mean employees will be perfect. Google allows admins to run file exposure reports to learn how employees are sharing files. Admins can then see if people are unintentionally doing things that aren’t secure and provide the necessary training.
If you do your homework and prepare your organization to use Google Drive, it can be an excellent tool for managing PHI. But whatever tool you use, it’s only as safe as the people using it.
Using digital tools securely in an increasingly online world
With so many people using the web for research, communication, and shopping, technology will only become more prevalent. Instead of becoming entrenched in the current way of doing things, business leaders must embrace technology and prepare their organizations to do the same.
Leaders who do this will provide a better customer experience and lead their industry. By taking security seriously, you’ll show patients that you’re an ethical provider they can trust.