Confidentiality, Privacy and Security

PHI in google drive

  • 1.  PHI in google drive

    Posted 19 days ago
    I want to see if there is any other clinics that use google drive to hold their patients files and billing documents? Also using gmail as a way to email account information back and forth. I went from working in a hospital where security measures were used to a clinic where its more lax on things like PHI in the email heading before sending the email to a co-worker and there is a debate on weather there should individual access to insurance verification online or just one access per clinic. I strongly belief that all access need to be individual based and I am not sure about the security of google drive. Any information is helpful.

    ------------------------------
    Monica Martin, CCA
    Medical Billing Coordinator
    ------------------------------


  • 2.  RE: PHI in google drive

    Posted 19 days ago
    I do know clinics that use Google Drive extensively and they are pleased with the results.  Keep in mind that Google will not sign a Business Associate Agreement for any of its free services.  However, its services are pretty well priced and are certainly a viable option for those looking at a cloud based option of services similar to what Google provides.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 3.  RE: PHI in google drive

    Posted 19 days ago
    Part of the HIPAA rule is to ensure that all that view, edit, delete, modify  PHI are held accountable. If everyone is sharing an account there is no way to hold anyone accountable. As far as google drive is concerned if the company storing your PHI (google) won't enter into a BAA with you then it is a bad idea and you are liable for any data leakage.

    Thanks
    Kris.

    --
    Thanks Kris

    Kris Lundell MBA,  CIPP/US, CiPT, CHP, CHPS, HCISPP
    Privacy and Security Consultants LLC





  • 4.  RE: PHI in google drive

    Posted 19 days ago
    Thanks Kris!

    I'll go one step further...buildng on Kris' comment.  if you are sending PHI to a cloud provider such as an online storage drive like Google Drive or One Drive, that entity then becomes a Business Associate, whether or not they sign a Business Associate Agreement makes no difference with respect to the entity becoming a Business Associate.

    Now...if a Covered Entity sends PHI to an online storage provider and does not get a Business Associate Agreement (BAA) first...then that disclosure to the online storage provider is an impermissible disclosure (and a presumed breach) and there are several examples of enforcement actions where actions were taken by OCR on entities that did not have a Business Associate Agreement in place.

    So good to make sure to get those BAAs in place.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 5.  RE: PHI in google drive

    Posted 19 days ago
      |   view attached
    Google just recently released guidance on HIPAA compliance (last month) regarding its various apps (G-Suite, Google Drive, Docs, Sheets, etc.); see below.  They have also just recently published the G Suite and Cloud Identity HIPAA Implementation Guide to help Google customers and clients learn how to organize and store data on Google's services when PHI is involved. That guide is attached to this post, and there is a link also in the text above and at the bottom of this email post.  Hope this helps!

    HIPAA Compliance with G Suite and Cloud Identity
    From https://support.google.com/a/answer/3407054

    Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. To demonstrate our compliance with security standards in the industry, Google has sought and received security certifications such as ISO 27001 certification and SOC 2 and SOC 3 Type II audits. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), G Suite and Cloud Identity can also support HIPAA compliance.

    Under HIPAA, certain information about a person's health or health care services is classified as Protected Health Information (PHI). G Suite and Cloud Identity customers who are subject to HIPAA and wish to use G Suite or Cloud Identity with PHI must sign a Business Associate Agreement (BAA) with Google.

    G Suite and Cloud Identity customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not signed a BAA with Google must not use Google services in connection with PHI.

    Administrators must review and accept a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Google Chat, Google Meet, Google Keep, Google Cloud Search, Google Sites, Google Groups, Google Tasks, Google Voice (managed users only), Jamboard, Google Vault services, and Google Cloud Identity Management.

    We have published our G Suite and Cloud Identity HIPAA Implementation Guide to help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with G Suite and Cloud Identity.



    ------------------------------
    A. Andrews Dean, CPHIMS, CHDA, CPHI, CPPM, CPC
    AHIMA-Approved Data Analytics Trainer
    Health IT Regulatory Affairs & Healthcare Compliance Consultant
    ------------------------------



  • 6.  RE: PHI in google drive

    Posted 19 days ago
    A.Andrews....many thanks for adding to the thread!

    Sounds like on some level Google is doing its part to make everyone aware of what needs to happen by all of those involved to meet HIPAA requirements.  I like it how Google controls access to documents through links to Google Drive.  Adds a nice additional safeguard feature

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 7.  RE: PHI in google drive

    Posted 18 days ago
    Edited by Dana DeMasters 18 days ago
    Nice post, Ashley.  Monica, I will add to the discussion and your question about individual access to insurance verification by referring you to the Security Rule, 164.312(a)(2)(i), which requires covered entities to "assign a unique name and/or number for identifying and tracking user identity".  Below is a link to the OCR website and FAQ.

    https://www.hhs.gov/hipaa/for-professionals/faq/2018/does-the-security-rule-permit-a-covered-entity-to-assign-the-same-log-on-id-to-multiple-employees/index.html

    Concerning the use of gmail, all email communications are per our facility's email address and encrypted when PHI and confidential information is included.  Accounts such as gmail are free accounts and not secure, and we do not allow communications of PHI/confidential per these types of accounts.

    ------------------------------
    Dana DeMasters, MN, RN, CHPS
    Privacy/Security Officer
    ------------------------------



  • 8.  RE: PHI in google drive

    Posted 18 days ago
    Indeed...and this is how Google's unique use of links to documents adds an additional safeguard when used correctly.  If you put this on top of encrypting the files saved in Google Drive by password protecting the documents...you are now talking some pretty high level, extremely hard to crack protection.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------