Google Drive - HIPAA, FERPA, and Other Sensitive Data Storage

Body

Overview

The Texas A&M Google drive is considered HIPAA compliant and may not be FERPA compliant in some cases. When storing data in Google Drive, be aware of the type of data being stored and the Texas A&M IT Policy Controls Catalog, the Texas A&M Google Terms of Use, and the Texas A&M Technology Services website guidance on where and how to store data.

Information

There are several documents which outline how HIPAA, FERPA, and other sensitive data should be stored and transmitted including the Texas A&M IT Policy Controls Catalog, the Texas A&M Google Terms of Use, and the Texas A&M Technology Services website.

  • From https://it.tamu.edu/google/terms/index.php:

    The Service is not appropriate for:
    1. Data controlled for export under Export Control Laws (EAR, ITAR).
    2. Certain types of Personally Identifiable Information (PII), including Social Security Numbers, credit card numbers, and bank or financial account numbers.
    3. Data classified as Critical according to the Texas A&M data classification standard.
    4. High-Risk Activities in which loss or inappropriate disclosure of the data would result in significant consequences in terms of economic loss, loss of trust, or legal liability.
  • From https://cio.tamu.edu/policy/it-policy/controls-catalog/standards/data_classification_standard.pdf:

    Storage of private data (confidential data, including HIPAA/FERPA data) On external cloud: Not permitted without Texas A&M IT security review and assessment as well as data trustee approval.

  • From https://security.tamu.edu/protect_my_work/Protecting_Confidential_Information.php:

    "Federal laws that require the confidentiality of information include:

     
    • The Family Educational Rights and Privacy Act (FERPA) which protects the educational records of all students.
      The Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI) which requires the protection and confidential handling of protected health information."

    and

    "How can I safely store confidential information?

    Encrypt Files
    By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to have a recovery plan in case you forget your key."

  • From https://cio.tamu.edu/policy/it-policy/controls-catalog/controls.php?control=SC-13:

    "University confidential information or PHI that is stored in a public location and which is directly accessible without compensating controls shall be encrypted."

 

Details

Details

Article ID: 559
Created
Thu 5/2/24 11:04 AM
Modified
Fri 6/28/24 11:02 AM

Related Services / Offerings

Related Services / Offerings (1)

The "Content and File Sharing" Service Offering allows for service requests regarding software development version control, file transfer and sharing, file storage, or note-taking applications.