In a previous post, we discussed how some organizations think that having their records stored on Google Drive is the same as having an enterprise content management solution, like Laserfiche. That post focused on security and exposed weaknesses you may encounter using Google Drive. We'll discuss compliance, the other elephant in the room, in this post. If your Google Drive is not secure, it is not compliant. Industries that most often invest in Laserfiche are those that are highly regulated, therefore requiring compliance. For this post, we'll be exploring HIPAA compliance.
The Health Insurance Portability and Accountability Act of 1996 sets the standards for the electronic exchange, privacy, and security of health information. HIPAA protects patients' privacy by prohibiting specific uses and disclosures of health information. HIPAA allows patients to obtain copies of their health information. HIPAA also ensures that if there is a breach of health information, the breached entity must send notifications to the individuals affected.
While the point of this post is to explore how difficult it is to prove HIPAA compliance using Google Drive, it's important to remember that no single application "makes" you compliant. Compliance involves activities, processes, security, audits; in other words, compliance is a series of actions, rules and regulations, and documentation.
OK. Our example is a healthcare organization that needs to be HIPAA compliant and wants to use Google Drive if at all possible. They made this choice for fiscal reasons. Here's what has to happen:
To store PHI (protected health information) in a HIPAA compliant way, need to sign a Business Associate Agreement with Google. Google offers BAAs of paid users of its Google Apps platform. BAA covers Gmail, Google Calendar, Google Drive, and Google Apps Vault. The client is responsible for configuring the previously mentioned services to be HIPAA compliant. In addition, the BAA requires the organization to disable all the additional services in the Admin console. Free Google services are not covered; the organization must use Google Apps for Business, Education, or Government account. Also, Google will only sign a BAA with paid users upon the request of a systems administrator. Keep in mind that there are still limitations to the data security of PHI stored on Google G Suite apps. Please see my previous post.
Another area where Google lacks complete functionality is audit trails. The Google Apps Admin Console provides some reporting, mostly over user permissions. Permissions alerts and reporting are essential. However, a critical element of complying with HIPAA is maintaining a complete audit trail over PHI. But with Google Drive, which only provides server-side encryption to data, audit logs lack information about activity on the device, which can pose a significant problem if you need to WFH.
Finally, Google has some issues with syncing devices. While staying up-to-date on data across devices is one of the primary reasons many use Google Drive, sync can interfere with HIPAA compliance. File sync in a HIPAA-compliant environment requires a layer of encryption at the file level and the file when in transit. Because Google essentially provides server-side encryption, your files are protected in the cloud but not once they are synced to the device. Google OOTB doesn't offer the end-to-end encryption required for HIPAA compliance.
Overall, Google Drive will require a sizable investment in time and money, so you'll need to do some budgeting. And if you are interested in hearing how Laserfiche handles compliance, give me a shout at firstname.lastname@example.org.