Health Insurance Portability and Accountability Act (HIPAA) compliance has been a major concern in healthcare since the law was first created. After all, an organization’s HIPAA compliance will determine its public reputation and the level of trust it receives from patients. In the event of noncompliance, the organization is at risk of receiving hefty fines and reputational damage.
Most modern healthcare organizations use digital platforms like Google Drive to manage patient protected health information (PHI). But, that means you need to be aware of the extent to which that platform meets HIPAA standards for data protection and privacy.
HIPAA is US legislation that provides data privacy and security provisions for safeguarding medical information. To be compliant with this act essentially means that your individualized care organization respects the confidentiality required in healthcare. For online platforms, this typically means some form of data encryption, in addition to typical security measures like secure accounts or dual authentication.
The challenging thing is, there are a lot of terms and conditions. Even robust servers with standard security services don’t always measure up to the high standards set forth by HIPAA regulations.
Every healthcare organization needs to consider whether its PHI is being stored, shared and created in compliance with HIPAA. For those who host their databases on Google Drive, it’s essential to understand the nuances here.
In summary, Google drive is HIPAA-compliant when protected with encryption.
It may seem like a straightforward question, but the answer isn’t as simple: there are nuanced requirements to be truly HIPAA-compliant, and Google Drive only meets some of those needs. Here’s a more detailed explanation of how we answer this question:
Google Drive, which is part of G Suite, has all of the required components that a HIPAA-compliant service needs. The platform is protected by TLS (Transport Layer Security) encryption, which does protect patient PHI by putting secure walls around your server. Therefore, in theory, Google Drive is HIPAA-compliant.
However, HIPAA compliance is based on the use of technology services, not the services alone.
In other words, compliance lies in the hands of the user. If a doctor, nurse, secretary or care provider perfectly handles the sharing of and collaboration on PHI in G Suite, then they will be HIPAA-compliant. However, if users fail to collaborate, create or share correctly data won’t be fully protected; it then falls in the category of noncompliance.
That mishandling of patient data is all too easy: it just takes one careless or accidental transmission of sensitive data, such as sharing a patient’s Drive folder outside of the organization, and PHI is no longer secure.
Google Drive is HIPAA-compliant to a point. But it leaves you at risk of noncompliance because there are significant ways Drive security measures fall short.
With only G Suite’s default security, the user is ultimately responsible, and it’s far too easy for user error to expose data.
Realistically, even care providers with the best of intentions probably don’t always share PHI in Google Drive with compliance best-practices in mind. Their main focus is to provide the best possible care to their patients. However, when security is not the user’s main priority, it’s easy to lapse into noncompliance.
Because improper sharing of PHI represents a significant risk for HIPAA violations, it’s important to address where your internal processes fall short. Data security concerns should never trump patient care, but they need to be a priority. The best solution is to put up some guardrails for your care providers that make it easy for them to maintain Google Drive HIPAA compliance.
For organizations that want the agility of a system like Google Drive but don’t have the personnel or the funding to set up expensive systems like a full-fledged EHR (Electronic Health Record), there are solutions and best practices that can help:
To learn more about HIPAA compliance and Virtru’s effective solution, check out our free guide! We’ll walk you through how to ensure your email is HIPAA-compliant so that no matter how you interact with patient data, it’s always protected.