Google Slides can be used in a HIPAA-compliant manner to create, store, and share presentations containing Protected Health Information when it is used under a Google Workspace plan covered by a Business Associate Addendum, the environment is configured to restrict document sharing, and workforce members are trained to prevent Protected Health Information from being used or disclosed through noncompliant Google Workspace features, including Google Forms.
Google Slides is a presentation editor used to create slide decks for training, internal projects, and communications. Google offers Google Slides free for personal use, but personal users cannot use the service in compliance with HIPAA. HIPAA compliance depends on the account type and on administrative and workforce controls that support the HIPAA Security Rule for any electronic Protected Health Information handled within Google Workspace.
If presentations do not contain Protected Health Information, a HIPAA Covered Entity or Business Associate can use Google Slides without treating the service as a system that creates, receives, maintains, or transmits Protected Health Information. If Protected Health Information will be included in a presentation, the organization needs an Enterprise Google Workspace account and needs to accept Google’s Business Associate Addendum before creating or uploading any presentation that includes Protected Health Information.
Google’s Business Associate Addendum is an addendum to the Google Workspace Terms of Service. System administrators need to understand the customer obligations in the Terms of Service, including accountability for end user behavior, use of commercially reasonable means to prevent unauthorized use of the services, and notification to Google of unauthorized access.
Google Slides is not HIPAA compliant by default. System administrators need to follow the recommendations in Google’s HIPAA Implementation Guide, including configuring Google Drive controls that limit how files are shared, who can receive shared files, and what sharing settings are permitted within and outside the organization. Administrative monitoring should include security notifications that alert administrators when Google detects unusual or suspicious behavior in an organization’s account.
Workforce training should address how Google Slides and related Google Workspace services can be used without placing Protected Health Information into services or features that are not configured for compliant use. Training should address access control practices, prohibited shortcuts that bypass sharing restrictions, and internal reporting for suspected unauthorized access or disclosure.