Is the Google Cloud Platform HIPAA Compliant?

Is the Google Cloud Platform HIPAA compliant?  Is the Google Cloud Platform a suitable alternative to Azure and AWS for cloud hosting for healthcare organizations? In this post we determine whether the Google Cloud platform is HIPAA compliant and if it can be used by healthcare organizations to build applications, host infrastructure, and store files containing protected health information.

Healthcare organizations are increasingly taking advantage of cloud platforms. The healthcare cloud computing market was valued at $4.65 billion in 2016 and is expected to increase to more than $14.76 billion by 2022.

Amazon AWS is still the leading platform with a market share of 62% according to KeyBlanc, with Microsoft Azure second on 20%, but Google is gaining ground, with a market share of around 12%.

Amazon and Microsoft both offering platforms that support HIPAA compliance, but what about Google? Is the Google Cloud Platform HIPAA compliant?

Will Google Sign a Business Associate Agreement Covering its Cloud Platform?

Since the Omnibus Rule came into effect in September 2013, Google has been signing business associate agreements with HIPAA covered entities for G-Suite and in early 2014, Google extended its BAA to include the Google Cloud Platform.

Google’s BAA now covers most of its cloud services including Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud Dataproc, Genomics, BigQuery, Kubernetes Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, Cloud Pub/Sub, Cloud Translation API, Cloud Speech API, Stackdriver Logging, Stackdriver Error Reporting, Stackdriver Trace, Stackdriver Debugger, Cloud Datalab, Cloud Machine Learning Engine, Cloud Natural Language, Cloud Data Loss Prevention API, Cloud Vision API, Google App Engine, Cloud Load Balancing, Cloud VPN, and Cloud Spanner.

Further, in 2016, a partnership between Google and the backend-as-a-service mobile provider Kinvey saw its mBaaS available on Google Cloud. The mBaaS incorporates connectors to electronic health record systems to support healthcare apps.

Is the Google Cloud Platform HIPAA Compliant?

Google will sign a BAA with HIPAA covered entities, so does that mean the Google Cloud Platform is HIPAA compliant?

The BAA is only one requirement of HIPAA. It means that Google has had its security and data protection mechanisms assessed and they have been found to exceed the minimum requirements of the HIPAA Security Rule. The cloud services offered by Google also meet Privacy Rule requirements, and Google is aware of its responsibilities as a HIPAA business associate. It agrees to provide a secure and HIPAA-compliant infrastructure for the storage and processing of PHI.

However, it is up to healthcare organizations to ensure that HIPAA Rules are followed when using the Google Cloud Platform and that their cloud-based infrastructure and applications are correctly configured and secured.

It is the responsibility of covered entities to disable all Google services not covered by its business associate agreement, access controls must be carefully implemented, controls set up to prevent accidental data deletion, audit log export destinations must be set, and audit logs regularly checked. Care must also be taken to uploading any PHI to the cloud to ensure it is appropriately secured and PHI is not accidentally shared with unauthorized individuals.

While the Google Cloud Platform can be HIPAA compliant, healthcare organization can easily violate HIPAA Rules using Google’s or any other provider’s platform.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.