Looking for an easy and convenient way to create documents and store information at your private practice? Google Docs is a user friendly and efficient service, with a free tier that will appeal to many small practices.
But is Google Docs HIPAA compliant, and can it be used to store PHI?
Is Google Docs HIPAA Compliant?
The convenience of Google Docs, combined with its offline/online capabilities, makes it a top choice for many health care professionals. If you’re thinking of using Google Docs for your private practice, there are plenty of reasons to choose it.
Google Docs can be made HIPAA compliant with just a few simple steps.
Why Do Google Docs Need To Be HIPAA Compliant?
Under HIPAA Privacy Rule, Protected Health Information, otherwise known as PHI, must be protected from disclosure. PHI is essentially any information relating to a patient’s past, present, or future healthcare, their condition, and any payments.
Of course, as a therapist, you understand the importance of keeping information private. However, you also need to have easy and comprehensive access to your clients’ information. In the past, paper filing systems made it easier to ensure that information could only be accessed by those who had a right to see it.
But like nearly all private practices, you probably keep most of your information online. And unless you’re part of a large operation, the information is probably stored on the cloud, using a service such as Google Docs and Google Drive, instead of a private server.
Any service you use to store this information needs to comply with HIPAA regulations. This ensures that the information can’t be accessed or stored by third parties.
Signing A BAA For Google Docs
Google Docs can be made HIPAA compliant, but the service itself isn’t automatically HIPAA compliant. In order to use Google Docs safely, you will need to sign a BAA with Google.
A BAA, or Business Associate Agreement, is a legal agreement between a healthcare provider and a business entity, agreeing to the protection of PHI. Under HIPAA rules, Google is considered a business associate, instead of a conduit. Therefore, Google is required to sign a BAA.
The good news is, Google is willing to sign a BAA with medical facilities ensuring the safe use of their service. Google will also draw up the legal documentation, ensuring there is limited work for you! The BAA can be accessed through your Google account, and the entire process should be relatively smooth.
However, Google will only sign a BAA with those using the premium Google Workspace service (previously known as G-Suite). Google Workspace is a paid service that offers better usage of the Google tools, including Google Docs. They won’t sign a BAA if you only intend to use the free Google Docs service.
HIPAA Compliant Google Docs Settings
Once Google has signed the BAA, you will almost be ready to go. However, there are a few steps to take that will help ensure Google Docs is HIPAA compliant, and private information is protected.
First, turn on 2-factor authentication. This adds another step to the sign-in process, preventing third parties from gaining access to your account. Make sure your password is strong and unique, and that the 2-factor authentication uses a private phone number.
Next, disable link sharing and file syncing. This will prevent files from accidentally uploading where you don’t want them to be. Disable offline storage, so files won’t automatically be saved to the device. Ensure the document visibility is set to private.
Frequently check all settings, to ensure they haven’t been changed. It’s also important to check the file logs, to ensure no one has shared or accessed information they shouldn’t have.
Is Google Docs Encrypted?
Google Docs does encrypt data during uploading, downloading, and storage. This ensures the data is protected from third parties, and HIPAA compliant. Google uses 128-bit AES protection to ensure data is covered as it moves between data centers and platforms.
All information on Google Docs, Sheets, and Slides is encrypted both in-transit, and when at-rest. So, when your documents are being stored, they’re encrypted. And when the documents are moving from data centers, they’re encrypted.
Further Steps To Ensure Google Docs Is HIPAA Compliant
Google Docs can be a HIPAA compliant service, but only if the user follows the correct procedures. Even with the signed BAA and encryption services, Google Docs can still cause HIPAA violations if the user doesn’t take steps to protect information.
Documents containing PHI should never be left open and unattended. Similarly, these documents should never be viewed, edited, or written in the presence of a third party.
Google Docs is known for its convenience, and the ability to access documents from different devices, including offline. However, when viewing a document on a different device, you must follow the same precautions.
Finally, never put PHI in the title of your document, or as the name of a folder. While this data is encrypted, it’s much easier for third parties to view.
Is Google Docs The Right Choice For Your Private Practice?
Google Docs is a convenient and easy service to use for your private practice. It can be made HIPAA compliant, but only if you subscribe to the paid version of Google Workspace. Google will sign a BAA with Google Workspace users, but not with free Google Docs users.
However, there are healthcare focused EHRs that contain similar services to Google Docs. As these have been created for healthcare, and some with a specific service for therapy practices, they tend to offer greater specialization.
They can be more expensive, but the document creation process is closely developed to suit healthcare professionals.
Final Thoughts
At a basic level, Google Doc isn’t a HIPAA compliant service. However, Google Workspace, which includes Google Docs, can be made HIPAA compliant. You will need a signed BAA from Google, and to adjust the settings, to ensure the safety of PHI.
But remember, Google Docs can’t account for human error. If you’re using the service, be careful to ensure all confidential information remains protected.
