How to Make Google Drive HIPAA Compliant: Step-by-Step Guide to BAA, Settings, and Sharing Controls

Making Google Drive HIPAA compliant is less about a single switch and more about a coordinated program: execute a Business Associate Agreement (BAA), choose the right Google Workspace configuration, lock down sharing, enforce strong identity protections, and monitor with audit logging. This step-by-step guide shows you how to safeguard Protected Health Information (PHI) while preserving collaboration.

Follow the sections below in order. Each one maps to a core HIPAA expectation—like the Minimum Necessary Rule, access controls, Two-Factor Authentication, and Audit Logging—so you can build a defensible, repeatable setup.

Understand Business Associate Agreement

A Business Associate Agreement is the contract that allows a cloud service to create, receive, maintain, or transmit PHI on your behalf. Without an executed BAA, you should not store PHI in Google Drive. The BAA defines responsibilities for safeguarding PHI, breach notification, and permitted uses and disclosures.

Confirm that your organization is a covered entity or business associate and that Google will function as your business associate for the covered services (including Drive). Your internal policies must align with the BAA and with HIPAA’s administrative, physical, and technical safeguards.

Key steps to execute the BAA

• Identify your HIPAA scope: the teams, workflows, and repositories that handle PHI.
• Review and accept Google’s BAA in the admin environment before migrating PHI to Drive.
• Verify which Google services are covered under the BAA and disable or restrict any non-covered services for users handling PHI.
• Document roles and responsibilities for security, privacy, and incident response referenced by the BAA.

Scope, covered services, and the Minimum Necessary Rule

• Apply the Minimum Necessary Rule by limiting PHI access to users who need it for their job.
• Separate PHI content into designated Shared drives and folders so it is easier to govern and audit.
• Restrict risky add-ons or third-party apps that are not covered by your BAA or vendor assessments.

Configure Google Workspace Plans

HIPAA compliance depends on your controls, not just your subscription. That said, choose a Google Workspace edition that includes security and compliance capabilities you plan to use with Drive—like data loss prevention (DLP), retention/eDiscovery, advanced device management, and investigation tools.

Capabilities to require for a HIPAA-aligned setup

• Drive governance: Shared drives, granular sharing controls, labels/classification, and blocking download/print/copy for PHI.
• Data protection: DLP for Drive to detect PHI patterns; encryption in transit and at rest; restrictions on third-party app access.
• Identity and access: directory groups, Role-Based Access Control (RBAC), context-aware access, and Two-Factor Authentication.
• Compliance and discovery: Vault or equivalent for retention, legal hold, and eDiscovery.
• Monitoring: admin and Drive Audit Logging with alerting and investigation capabilities.

Initial configuration checklist

• Accept the BAA and assign super admins for security and compliance.
• Create security groups aligned to job roles; grant app access and Drive permissions to groups, not individuals.
• Enable Drive labels or a simple classification scheme for PHI versus non-PHI content.
• Harden marketplace/app access; only allow vetted apps that meet your BAA and risk criteria.

Implement Role-Based Access Controls

RBAC ensures only authorized users can access PHI. Map every user to a role with clearly defined privileges, then implement those privileges with Google groups, admin roles, and Shared drive roles. This enforces the Minimum Necessary Rule at scale and simplifies audits.

Design and enforce RBAC

• Define roles (e.g., clinician, billing, research, IT admin) and the specific PHI each role needs.
• Create groups per role and assign access to PHI Shared drives and folders through those groups.
• Use Shared drive roles (Manager, Content manager, Contributor, Commenter, Viewer) to match privileges to duties.
• Prohibit personal ownership of PHI by storing regulated content only in Shared drives, not My Drive.
• Run quarterly access reviews and immediate off‑boarding: remove group membership, revoke sessions, and transfer file ownership if needed.

Harden privileged access

• Limit super admin rights; use least‑privilege admin roles for day‑to‑day tasks.
• Require phishing‑resistant Two-Factor Authentication (e.g., security keys) for admins and help desk staff.

Enforce Two-Factor Authentication

Two-Factor Authentication (2FA) is a core HIPAA safeguard for verifying user identity. Enforce 2FA for all accounts that can access PHI and require the strongest methods you can support, especially for administrators and anyone with broad sharing rights.

Identity protection checklist

• Make 2FA mandatory tenant‑wide; disallow SMS as a primary factor if you can support stronger options.
• Prefer security keys or passkeys for high‑risk users; require re‑authentication for sensitive actions.
• Set session lengths appropriate to risk; force sign‑out on device loss or termination.
• Block legacy protocols and disable less secure app access that bypass modern authentication.

Set Sharing Restrictions

Most HIPAA incidents in cloud storage involve oversharing. Configure Drive so PHI is shared only with authorized users and trusted partners under a BAA or equivalent contract. Pair preventive sharing rules with DLP to stop sensitive data from leaving approved boundaries.

Recommended Drive policies

• Disable public or “anyone with the link” access; require sign‑in for all viewers.
• Restrict external sharing; if needed, allow only approved partner domains with appropriate agreements.
• Default PHI locations to Viewer or Commenter and block download/print/copy for those roles.
• Prevent users from publishing files to the web or using file embedding for PHI.
• Use Shared drives for PHI and limit who can create new Shared drives to approved admins.
• Enable DLP for Drive: detect PHI (e.g., patient identifiers, SSNs, medical record numbers) and auto‑block external sharing or require justification.
• Apply labels or metadata indicating PHI; tie DLP rules and sharing restrictions to those labels.
• Control offline access on unmanaged or shared devices; require device compliance to access PHI.

Enable Audit Logging

Audit Logging is your visibility layer for HIPAA. You need records of who accessed, shared, downloaded, or modified PHI, plus alerts for risky behavior. Logs also support investigations, breach notification analysis, and periodic compliance audits.

Set up logging and alerting

• Ensure Drive audit events are recorded for views, edits, downloads, shares, prints, and permission changes.
• Create alerts for abnormal spikes in downloads, new external sharing, DLP rule matches, or changes to sharing policies.
• Retain logs for your required period and export to your SIEM for correlation with identity and endpoint data.
• Use eDiscovery/retention tools to preserve PHI content under legal hold and to meet record-keeping requirements.

Operationalize reviews

• Run monthly reports on external sharing, file ownership outside Shared drives, and dormant high‑risk permissions.
• Test incident response: simulate a mis‑share, validate detection, alerting, containment, and user notification.

Provide HIPAA Training and Policies

Technology alone does not make Google Drive HIPAA compliant. Train your workforce on PHI handling, secure sharing, incident reporting, and acceptable use. Reinforce policies that translate HIPAA requirements into concrete behaviors inside Drive.

Training essentials

• What counts as PHI, and how Role-Based Access Control limits who may access it.
• How to classify content, where PHI belongs (Shared drives), and how to request access.
• How to use Two-Factor Authentication, recognize phishing, and report suspected incidents.
• Do’s and don’ts for sharing: no public links, no personal accounts, and verify recipients.

Policy foundations

• Access management with the Minimum Necessary Rule and least privilege.
• Data protection standards: encryption in transit and at rest, DLP usage, and third‑party app controls.
• Retention/eDiscovery, breach notification, and sanctions for violations.
• Device and remote work rules, including offline access and BYOD expectations.

Summary

To make Google Drive HIPAA compliant, execute the BAA, select Workspace capabilities that support DLP and retention, enforce RBAC and strong Two-Factor Authentication, restrict sharing to trusted boundaries, and use Audit Logging to verify and improve. Combined with training and clear policies, these controls help you protect PHI and demonstrate due diligence.

FAQs.

What is a Business Associate Agreement and why is it necessary?

A Business Associate Agreement is a HIPAA-required contract that permits a service provider to handle PHI and commits both parties to specific safeguards, permitted uses, and breach notification duties. You must have an executed BAA with Google before storing or sharing PHI in Drive.

How do I configure Google Drive sharing settings for HIPAA?

Disable public link sharing, require sign‑in for all access, restrict external sharing to approved partner domains, and block download/print/copy for viewer and commenter roles in PHI locations. Use Shared drives for regulated content, apply PHI labels, and deploy DLP rules that automatically prevent or quarantine risky shares.

What Google Workspace plans support HIPAA compliance?

HIPAA compliance is achievable on eligible Google Workspace editions when you execute the BAA and properly configure controls. Choose an edition that includes the security features you need—such as DLP for Drive, retention/eDiscovery, advanced device management, and audit/investigation tools—and then enforce the policies outlined in this guide.

How can audit logs help maintain HIPAA compliance?

Audit logs record who accessed, shared, downloaded, or changed PHI, enabling continuous monitoring, alerting, and investigations. They help you prove adherence to policies, detect mis‑sharing quickly, support breach assessments, and provide evidence for audits and regulatory inquiries.