Google Keep is a web-based note taking program that makes it possible to create notes and share them through several devices. The platform is famous, but is it HIPAA compliant? Can healthcare organizations use Google Keep in association with ePHI?
Google has created numerous products that may be employed in healthcare. Google has been known to sign business associate agreements (BAAs) with healthcare companies and the BAA is applicable to a number of the company’s most famed software programs and cloud solutions.
Google Keep permits the recording of notes and the attachment of files, such as photos, audio and video files. The notes and attachments can be accessed via several devices by using Google Drive. Google Drive is component of G Suite (formerly called Google Apps) and it is covered by Google’s BAA.
Google Keep and HIPAA Compliance?
If a healthcare company utilizes the paid version of G Suite after Google signs a BAA, Google Keep may be used with ePHI without breaking HIPAA Rules. Nevertheless, there are a couple of caveats. Even if the BAA covers Google Keep, it doesn’t assure HIPAA compliance. Users are accountable for ensuring Google’s services are set up properly and that their use doesn’t break HIPAA Rules.
The covered entity must appropriately enforce access controls, set file-sharing permissions correctly, and never share the files outside the company. Users need training on HIPAA compliance and must ensure that files with ePHI are shared to authorzed persons only.
Even though Google Drive files are encrypted, they are no longer encrypted when the files are downloaded. Devices should therefore have appropriate access controls to keep downloaded content from the access of unauthorized persons, specifically on mobile devices that could very easily become lost or stolen. To comply with HIPAA, a covered entity should also keep audit logs.
So, Google Keep may be regarded as HIPAA compliant just like Google Drive.