Google Drive HIPAA compliance 101

If you work in the healthcare industry—or work with protected health information—and want to use Google Drive, HIPAA compliance is no doubt top of mind. Critically, however, for Google Drive HIPAA compliance to hold across devices, admins need to disable certain elements of the service, like file synchronization. Let’s unpack what you need to know to use Google Drive in compliance with HIPAA.

Is Google Drive HIPAA compliant?

Yes and no. Simply signing up for and using Google Drive does not a HIPAA compliant approach to cloud storage make. There are three things to keep in mind: Business Associate Agreements; audit trails; and file synchronization.

Google Drive HIPAA compliance caveat 1: BAAs. According to Google’s own HIPAA compliance guidelines, businesses that want to store PHI on Google Drive in a HIPAA-compliant way need to sign a Business Associate Agreement with Google. The good news is that Google offers BAAs for paid users of its Google Apps platform. Specifically, the BAA covers Gmail, Google Calendar, Google Drive, and Google Apps Vault. The big caveat, though, is that it’s incumbent on the health care organization itself to configure those services to be HIPAA-compliant. The BAA also requires that you disable all additional services in the Admin console. The BAA does not cover use of Google’s free services; Google Apps for Business starts at $5/month per user or $50/year per user. Signing a BAA doesn’t imply—or ensure—that your entire organization is HIPAA compliant: the BAA is just one component.

Google Drive HIPAA compliance caveat 2: Audit trails. The Google Apps Admin console provides reports that provide important control over a team’s data. Admins can set file-sharing permissions so that people only have access to sensitive protected health information on a need-to-know basis, and they can also prevent employees from sharing information outside their domain. Admins can get alerts for suspicious login attempts, activity by new or suspended users, password changes, and user privilege updates. These are all important controls to ensure that a tight leash is maintained over important information.

However, a critical element of complying with HIPAA is maintaining a complete audit trail over PHI. But with Google Drive, which only provides server-side encryption to data, audit logs lack information about activity that happens on the device, which can pose a significant problem if you need to do mobile work.

Google Drive HIPAA compliance caveat 3: Device sync. That on-device audit log oversight brings us to our next issue with file synchronization: While staying up-to-date on data across devices is one of the primary reasons many use Google Drive, sync can actually interfere with HIPAA compliance.

And that’s a big problem, because the convenience of file sync is often what draws businesses to the cloud in the first place. Who wouldn’t benefit from the ability to access your data from anywhere, on any device? But healthcare providers and their business associates must proceed cautiously in order to take advantage of this feature in handling PHI. Namely, they need to deploy a layer of file-level encryption to this sensitive data in order to sync safely and support Google Drive HIPAA compliance.

File synchronization duplicates thousands of non-encrypted files to many mobile devices. In other words, even if files are secured on the cloud, once they reach devices, they’re unprotected. SaaS solutions like Dropbox, Box, and Google Drive provide server-side encryption (in addition to protecting files in transit). Practically speaking, that means they’re well-protected when on the cloud company’s servers. But because your files themselves aren’t wrapped in that protective layer of encryption, they shed that protection once they’re synced to the device. That’s why most users with HIPAA compliance needs go so far as to disable or restrict sync when dealing with PHI.

But that’s where an end-to-end encryption provider like Sookasa can help close the gap: Because Sookasa encrypts data at the file level, it protects information no matter where it’s stored, from Google Drive’s servers to whatever devices you’re syncing with.

Google Drive can be used in a HIPAA compliant way if you take these steps. What’s more, its security measures are robust: Google has received ISO 27001 certification and has undergone SOC 2 and SOC 3 Type II audits.

From a security standpoint, putting your data in the cloud is safer than storing sensitive data locally, because it enables you to leverage the resources of Google’s incredible secure architecture. It’s just essential that you take a few additional precautions.