Skip to main content

Encryption for Google Drive, Dropbox

Analysis  |  By Revenue Cycle Advisor  
   March 04, 2021

Apple will not sign a BAA even after the flurry of news around what Apple offers to the healthcare sector.

A version of this article was first published March 4, 2021, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

Q: What are the encryption requirements when using Google Drive™, Dropbox®, or other information-storing applications? How do we ensure HIPAA compliance when using them?

A: You can find the required level of encryption in the National Institute of Standards and Technology (NIST) Special Publication 800-175B, Revision 1.

There are different standards for data transmission versus encryption of data at rest. For the most part, vendors such as Google, Dropbox, Box®, and others would pass muster with NIST.

This means the HIPAA Breach Notification Rule safe harbor is met. However, this is true for the business versions of these platforms (not necessarily the consumer versions), and you will still need to obtain a signed business associate agreement (BAA) from your vendor of choice.

If you use these vendors, it is a good idea to either ask them to complete a security questionnaire annually or submit a report such as a SOC 2 Type II report.

This lets you determine for yourself whether a vendor is continuing to provide the necessary security for your data, and it indicates you are exercising due diligence.

The exception for these platforms is iCloud®. Apple will not sign a BAA even after the flurry of news around what Apple offers to the healthcare sector.

The unwillingness to sign a BAA means even if the security of iCloud is solid (which it is), you cannot use iCloud to store protected health information (PHI).

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.

Photo credit: Sankt-Petersburg, Russia, April 27, 2018: Google Drive application icon on Apple iPhone X screen close-up. Google drive icon. Google Drive application. Social media network / Editorial credit: BigTunaOnline /

Get the latest on healthcare leadership in your inbox.