In order for Google Docs to be considered HIPAA compliant, stored data must be encrypted. Data must also be encrypted while it is being uploaded or downloaded. Google actually does use 128-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers.
Is Google Classified as a Conduit?
The Department of Health and Human Services has stated, in recent guidance, that cloud service providers are not – in almost all cases – classified as conduits, so the HIPAA Conduit Exception Rule does not apply. Instead, cloud service providers are classified as business associates, even if the service provider does not access data stored in customer accounts.
Will Google Complete a BAA for Google Docs?
As a business associate, before the use of Google Docs for sharing or storing documents including PHI, a business associate agreement must be obtained from Google. Many cloud companies offer BAA’s to covered entities, but it is crucial to ensure that a particular product is listed as covered by the BAA prior to use.
Google is amenable to sign a BAA with G Suite enterprise customers. The terms of the BAA and Google Docs mention that, as part of Google Drive, it is covered by its BAA.
Google clearly outlines that healthcare organizations covered by HIPAA Rules must not use G Suite in connection with PHI until a business associate agreement has been signed. Once that BAA has been obtained, Google is not responsible for misuse. It is the responsibility of the covered entity or business associate implementing the service to ensure that HIPAA Rules are followed. That means setting up access controls, amendment, and accounting in accordance with HIPAA Rules. Google provides a useful guide for HIPAA covered entities to help them configure G Suite correctly.
Can Google Docs be Deemed HIPAA Compliant?
No software or cloud platform can be called HIPAA compliant as all are dependent on how a service is used. That said, you can use Google Docs without violating HIPAA Rules.
Before any documents containing PHI are placed on Google Docs, the covered entity or business associate must first obtain a signed business associate agreement from Google. Once that BAA has been signed and received, staff that are required to use Google Docs must be given training on its use and should be made aware of the restrictions in place in relation to PHI.
Documents containing PHI must only be saved to accounts that are not publicly accessible, and permissions must be configured to ensure only authorized individuals can access the documents/account. Any PHI included in files uploaded to Google Docs must be in the document itself, and not included in the file name.
Provided these precautions are followed, Google Docs is HIPAA compliant.