Is Google Drive HIPAA Compliant?
The short answer: yes, but only through Google Workspace (paid) with a signed BAA. Free Google Drive is never HIPAA compliant. Here's exactly how to configure it for safe PHI storage.
Yes — But Only Through Google Workspace (Paid)
Free Google Drive is never HIPAA compliant. Google Workspace (paid plans) can be used to store PHI — but only after signing a BAA and configuring sharing, DLP, and audit settings correctly.
Google Workspace + BAA
HIPAA-eligible for PHI storage
Free Google Drive
Never HIPAA compliant
AES-256 encryption at rest + TLS 1.2+ in transit — built into all Workspace Drive storage
Why Free Google Drive Fails HIPAA
HIPAA doesn't certify cloud storage platforms. Compliance depends on three things: the vendor's technical safeguards, a signed Business Associate Agreement (BAA), and your organization's configuration. Free Google Drive fails on the second requirement — Google will not sign a BAA for consumer accounts.
| Feature | Free Google Drive | Google Workspace |
|---|---|---|
| BAA available | No | Yes |
| Encryption at rest | AES-256 | AES-256 |
| Encryption in transit | TLS 1.2+ | TLS 1.2+ |
| Admin audit logs | No | Yes |
| DLP rules | No | Yes (Business Standard+) |
| Starting price | $0 | $7.20/user/mo |
“Encryption alone does not equal HIPAA compliance. Without a BAA, Google has no legal obligation to protect your patients' data under HIPAA — even if the files are technically encrypted.”
45 CFR §164.502(e) — A covered entity may permit a business associate to create, receive, maintain, or transmit ePHI only if the covered entity obtains satisfactory assurances via a written contract (BAA). Who must comply?
How to Sign the BAA for Google Drive
Getting the BAA in place takes about 10 minutes. The configuration that follows takes longer — but the BAA is your legal foundation. Use our BAA template generator for your own agreements with subcontractors and downstream vendors.
Choose a Google Workspace plan
All paid plans (Business Starter, Standard, Plus, Enterprise) are BAA-eligible. Business Standard ($13.20/user/mo) or higher is recommended for DLP and Vault.
Accept Google's BAA in Admin Console
Navigate to Admin Console → Account → Legal and compliance → Google Workspace/Cloud Identity BAA. Review and accept. This is a legal contract, not a toggle.
Identify which Workspace services will handle PHI
Google's BAA covers Drive, Docs, Sheets, Slides, Gmail, Calendar, Meet, Chat, Keep, Forms, Sites, Vault, and Cloud Search. Only store PHI in covered services.
Configure security settings
The BAA alone is not enough. You must restrict sharing defaults, enable DLP, enforce 2FA, and turn on audit logging — detailed in the next section.
BAA covers services, not individual files
Google's BAA is a blanket agreement covering eligible Workspace services. You don't need to tag individual files as PHI — but you do need to ensure PHI never leaves BAA-covered services. Track your obligations with a HIPAA compliance checklist.
Which Google Services Are Covered by the BAA?
Google's BAA does not cover everything with a Google logo. Only specific Workspace services are included. If your staff accidentally stores PHI in a non-covered service, you have a breach — even if the data is technically encrypted.
Covered by BAA
- Google Drive (file storage)
- Google Docs
- Google Sheets
- Google Slides
- Google Forms
- Gmail
- Google Calendar
- Google Meet
- Google Chat
- Google Keep
- Google Sites
- Google Vault
- Cloud Search
- Google Voice (Workspace version)
Not Covered
- Free Google Drive (@gmail.com)
- Google Contacts (consumer)
- Google Maps / Google Earth
- YouTube
- Google Ads / Analytics
- Google Photos
- Third-party Marketplace add-ons
- Gemini AI features (check Google's latest BAA scope)
Note: Google updates its BAA scope periodically. Always verify the current list in Admin Console → Account → Legal and compliance before storing PHI in any Google service.
6 Google Drive Settings You Must Configure
The BAA is step one. These six configurations are what actually protect PHI stored in Google Drive. Document each one in your HIPAA risk assessment.
Disable link sharing defaults
Admin Console → Apps → Google Workspace → Drive → Sharing settings
Set default link sharing to 'Off' and restrict sharing outside your organization. Require sign-in to access shared files.
Prevents staff from accidentally sharing PHI-containing documents with 'Anyone with the link' — the #1 Google Drive HIPAA violation
Set up DLP rules for PHI detection
Admin Console → Security → Data protection → Rules
Create rules to detect SSNs, MRNs, diagnosis codes (ICD-10), and health data in Drive files. Set action to 'Block external sharing' or 'Warn user'.
Catches PHI in documents before they leave your organization, even if a user tries to share externally
Enable audit logging and Drive activity reports
Admin Console → Reporting → Audit and investigation → Drive log events
Verify Drive audit logs are active. Set up alerts for external sharing events. Retain logs for 6+ years per HIPAA requirements.
HIPAA requires logging all access to ePHI — logs prove who accessed, modified, or shared files during audits
Enforce 2-step verification for all users
Admin Console → Security → Authentication → 2-step verification
Set enforcement to 'On' for all organizational units. Require hardware keys or authenticator apps — not SMS.
Passwords alone fail the HIPAA access control standard. 2FA is the minimum viable authentication for ePHI access
Configure client-side encryption (Enterprise only)
Admin Console → Security → Access and data control → Client-side encryption
Enable CSE for Drive, Docs, Sheets, and Slides. Upload your own encryption keys via an external key management service.
With CSE, Google cannot decrypt your files — you control the keys. This is the strongest encryption option for PHI in Drive
Restrict download, print, and copy on shared files
Individual file → Share → Settings gear → Uncheck 'Viewers can download'
For PHI-containing files, disable download/print/copy for viewers. Train staff to apply this on every shared document with patient data.
Prevents PHI from being downloaded to unmanaged personal devices where it's outside your security controls
These settings mirror the HIPAA encryption requirements for data at rest and in transit. Google handles the encryption layer — you handle the access controls and sharing policies.
How to Safely Store PHI in Google Drive
Configuration is only half the equation. How your team actually uses Drive day-to-day determines whether you stay compliant. These practices address the most common HIPAA violations related to cloud storage.
Use a dedicated Shared Drive for PHI
Create a Shared Drive (not My Drive) specifically for patient data. Shared Drives are owned by the organization, not individual users — files persist when employees leave.
Name it clearly (e.g., 'PHI – Patient Records') so staff know which Drive has restricted sharing rules. Set Drive-level sharing to 'Only members' with no external access.
Standardize file naming conventions
Avoid putting patient names or MRNs in file names. Use coded identifiers instead (e.g., 'intake-2026-00147.pdf' instead of 'John_Smith_intake.pdf').
File names appear in search results, browser tabs, and activity logs. A coded naming system reduces incidental exposure of PHI in these surfaces.
Apply least-privilege access
Share files with the minimum access level needed. Use 'Viewer' access by default and only grant 'Editor' to staff who must modify records.
Review sharing permissions quarterly. Remove access for departed staff immediately — include this in your offboarding process.
Control the trash and version history
Files in Trash are still accessible for 30 days. Shared Drive admins can purge trash immediately. Version history retains all previous edits.
HIPAA requires disposal procedures for ePHI. Establish a policy for when and how Drive files containing PHI are permanently deleted after the retention period.
Audit file access regularly
Use Admin Console → Reporting → Drive log events to review who accessed, downloaded, or shared PHI-containing files.
Set up automated alerts for unusual activity: bulk downloads, external sharing attempts, or access from new devices.
Don't forget the Minimum Necessary Rule
Even within your organization, staff should only access PHI they need for their specific job function. Use Google Groups or Drive folder permissions to enforce role-based access to patient records.
5 Google Drive Mistakes That Violate HIPAA
Most Drive-related HIPAA violations aren't caused by Google's infrastructure — they're caused by how practices use the platform. These are the issues that surface most often in risk assessments and breach investigations.
Sharing PHI with 'Anyone with the link'
This is the most common Drive-related HIPAA violation. Anyone who obtains the link can access the file — no authentication required. Google indexes some publicly shared files, meaning patient data could appear in search results.
Fix: Change the default sharing setting to 'Restricted' in Admin Console. Train staff to never use 'Anyone with the link' for PHI-containing files.
Using personal Google accounts for work files
If a clinician uploads a patient form to their personal @gmail.com Drive, the file is outside your BAA, your audit trail, and your access controls. This is a reportable breach.
Fix: Block personal account access on managed devices. Use Google Workspace endpoint management to enforce organizational accounts.
Not revoking file access when staff leave
Former employees with active file access can still view, download, or share PHI-containing documents. If they shared files from 'My Drive' (not Shared Drive), the organization may lose access entirely.
Fix: Use Shared Drives for all PHI. Include Drive access revocation in your offboarding checklist. Transfer departing users' My Drive files to a manager.
Installing third-party add-ons that access Drive files
Marketplace add-ons that read Drive files are not covered by Google's BAA. Each add-on vendor needs a separate BAA if they can access PHI.
Fix: Whitelist approved add-ons in Admin Console → Apps → Google Workspace Marketplace. Block all others for healthcare organizational units.
Skipping staff training on Drive sharing rules
HIPAA requires workforce training on PHI handling procedures. Without training, staff default to the most convenient sharing option — which is usually the least secure.
Fix: Run annual Drive-specific training. Test comprehension with our HIPAA training quiz. Document completion dates.
Catch these issues before an auditor does. Our HIPAA audit checklist and training quiz test your team's readiness across all cloud storage scenarios.
Google Drive Alternatives for PHI Storage
Google Drive works well for many practices, but it wasn't designed for healthcare. If you need stronger native compliance controls or simpler setup, these alternatives are worth evaluating.
Box for Healthcare
From $20/user/mo (Business Plus)HIPAA-first cloud storage
Purpose-built for regulated industries with native BAA, FedRAMP authorization, granular permissions, watermarking, and automated classification. Used by large health systems.
Best for: Organizations needing enterprise-grade compliance features out of the box
Microsoft OneDrive (Microsoft 365)
From $12.50/user/mo (Business Premium)Full productivity suite with BAA
OneDrive + SharePoint with Microsoft 365 BAA. Includes Purview DLP, sensitivity labels, Defender for Cloud Apps, and Azure Information Protection. Tight integration with Teams.
Best for: Practices already using Microsoft Teams or considering it for telehealth
Tresorit
From $14/user/mo (Business)Zero-knowledge encrypted storage
End-to-end encrypted cloud storage where even Tresorit cannot access your files. Swiss-hosted option available. Includes BAA, audit logs, and remote wipe.
Best for: Practices that want maximum encryption — you hold the keys, not the vendor
Quick Reference: Google Drive HIPAA Compliance
Free Google Drive = No
Consumer @gmail.com Drive accounts are never HIPAA compliant. Google will not sign a BAA for free accounts.
Google Workspace Drive = Yes (with BAA)
Business Starter ($7.20/user/mo) and above are BAA-eligible. Accept the BAA in Admin Console → Legal.
14 services covered by the BAA
Drive, Docs, Sheets, Slides, Forms, Gmail, Calendar, Meet, Chat, Keep, Sites, Vault, Cloud Search, and Google Voice.
6 settings to configure
Disable link sharing defaults, set up DLP, enable audit logging, enforce 2FA, configure CSE (Enterprise), restrict download/print/copy.
Staff training is mandatory
Train all users on Drive sharing rules — no 'Anyone with the link' for PHI, no personal accounts, no unapproved add-ons.
Related Tools & Guides
Is Gmail HIPAA Compliant?
Gmail compliance rules, Workspace configuration, and encryption options.
HIPAA Encryption Requirements
Technical standards for encrypting ePHI in transit and at rest.
BAA Template Generator
Generate a customized Business Associate Agreement in minutes.
Best HIPAA-Compliant Email Services
Side-by-side comparison of Paubox, Hushmail, Virtru, and more.
HIPAA Compliance Checklist
Step-by-step checklist for Privacy, Security, and Breach rules.