Solved: Re: Is Google Drive's Backup & Sync program HIPAA ...

matt-goto · 09-16-2021 07:54 AM

Hi-

I'm looking into HIPAA compliance for Google Drive's automated backup & syncing software. I see on https://workspace.google.com/terms/2015/1/hipaa_functionality.html that Google Drive is HIPAA compliant, but I don't see that the backup & syncing software is. Is this an oversight or is it actually HIPAA compliant?

If it isn't HIPAA compliant, does anybody have suggestions for a HIPAA compliant piece of software which backs up & syncs folders from a Windows computer to Google Drive?

Thanks in advance for your help!

--matt

Thanks!

stephengale

If you follow the instructions provided in this Support Document and are able to use Backup and Sync, then it would be HIPPA compliant. The account which you sign-in as must have 100% of the Additional Services AND the Additional Services without individual control disabled inorder to comply with the BAA and have that account fall under Google's HIPPA compliance.

Note that the "third party software" statement which says third party software is not covered by HIPPA does not apply to Google Drive for Desktop - this is a first party piece of software, developed by Google and not a third party.

View solution in original post

stephengale

If you follow the instructions provided in this Support Document and are able to use Backup and Sync, then it would be HIPPA compliant. The account which you sign-in as must have 100% of the Additional Services AND the Additional Services without individual control disabled inorder to comply with the BAA and have that account fall under Google's HIPPA compliance.

Note that the "third party software" statement which says third party software is not covered by HIPPA does not apply to Google Drive for Desktop - this is a first party piece of software, developed by Google and not a third party.

raginiv

Have you tested Google Forms for HIPPA Compliance?

KAM

@matt-goto , I would disagree a bit with Stephen's assessment. HIPAA compliance starts with YOUR policies and procedures. Then, with Workspace, you combine it with Google's BAA and implement YOUR policies and procedures on top of Google Workspace.

This is a good article I found that helps give you an idea of some of the settings you need to change: https://compliancy-group.com/is-google-drive-hipaa-compliant/

And, for example, disabling offline use is one they mention. Is it because of the tooling? The encryption? They don't go into the detail but YOU are going to have to decide how your PHI is protected to meet the security and privacy requirements of HIPAA. All Google does is provides a BAA to qualify to come under the umbrella that you design. https://support.google.com/a/answer/3407054?hl=en and https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html might be helpful. You'll want to look at combined text as well including the security, privacy & enforcement rules as well as the omnibus resolution at https://www.hhs.gov/hipaa/for-professionals/index.html

So for me, it starts with Policies. Do your policies say you can use Drive for Desktop? If they do, how are you protecting the security and privacy of PHI? Are you using MFA? Are laptops using Full Disk Encryption? Do you have remote wipe capabilities if they are lost or stolen? Are you implementing Backups? Do your workstations auto lock after X minutes? What about home users because all of this has to extend to them as well.

This is not a complete list but I wanted to get you thinking about HIPAA in a way that NO ONE can tell you that XYZ *is* HIPAA compliant. They might be able to tell you that it COULD be compliant.

-KAM

Is Google Drive's Backup & Sync program HIPAA compliant?