Is Google Cloud Platform HIPAA Compliant?
Google Cloud Platform is HIPAA compliant for “covered products”, provided the products are configured to support HIPAA compliance and organizations accept the terms of Google’s Business Associate Addendum – including those that relate to the Google Cloud Platform Shared Responsibility Model.
The Google Cloud Platform is one of the leading cloud service providers for the healthcare industry due its easy integration with other Google Services (i.e., Google Workspace), strong data analytics capabilities, and price competitiveness. The platform also supports more open source integrations than its competitors, which may prove useful as CMS accelerates its drive towards interoperability.
When Google Cloud Platform products are used to create, collect, store, or transmit Protected Health Information (PHI), the products used must be capable of protecting the confidentiality, integrity, and availability of PHI. Not all Google Cloud Platform products have adequate capabilities to protect PHI, so Google separates those that do and refers to them as “covered products”.
The list of covered products is extensive and includes most products and services covered entities and business associates will use to create, collect, store, or transmit PHI (i.e., Cloud Storage, Compute Engine, Cloud SQL, App Engine, etc.). However, before they can be used for these activities, the products must be configured to support HIPAA compliance and organizations must accept the terms of Google’s Business Associate Addendum.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Google Cloud Platform Shared Responsibility Model
Making Google Cloud Platform HIPAA compliant is a shared responsibility between organizations and Google – the degree of responsibility for each product being determine by whether the product is an infrastructure product (IaaS), a platform product (PaaS), or a software product (SaaS). In most cases Google is responsible for the security of the cloud, whereas organizations are responsible for security in the cloud.
To help organizations configure the covered products to make Google Cloud Platform HIPAA compliant, a HIPAA Compliance on Google Cloud web page makes twenty-eight best practice recommendations. The recommendations do not include every covered product, but applying the suggested best practices will help covered entities and business associates develop a more secure and compliant Google Cloud environment.
The Google Cloud Platform HIPAA Compliant BAA
The Google Cloud Platform HIPAA compliant BAA is a Business Associate Addendum to the Google Cloud Terms of Service rather than a separate Business Associate Agreement because many customer responsibilities for protecting the privacy and security of PHI are covered by the Terms of Service. The Business Associate Addendum usually adds additional clauses to comply with §164.504(e) of the Privacy Rule and §164.314(a) of the Security Rule.
However, unlike the BAA for Google Workspace, there is no one-size-fits-all Google Cloud Platform HIPAA compliant BAA. To enter into a Google Cloud Platform BAA, system administrators must request a copy from their account manager. This has to be done before any covered product is used to create, collect, store, or transmit PHI. Organizations with questions about the process should speak with their account manager or seek independent compliance advice.
