Is Google Forms HIPAA Compliant?
Google Forms is HIPAA compliant and can be used to create, receive, maintain, or transmit Protected Health Information provided the organization subscribes to an appropriate Google Workspace or Cloud Identity package and signs Google’s Business Associate Addendum.
Google Forms is a convenient web-based service used for creating surveys, gaining feedback from customers, and analyzing the results; but, when used by healthcare organizations to collect, store, or share Protected Health Information, it is important healthcare organizations know how to make Google Forms HIPAA compliant.
Google Forms does Not Support HIPAA Compliance by Default
Google Forms does not, by default, support HIPAA compliance. This is because the service is part of the productivity suite within Google Drive which, unless included in a Google Workspace or Cloud Identity package, does not include the capabilities required to comply with the technical safeguards of the Security Rule.
This does not mean Covered Entities and Business Associates cannot use Google Forms outside of a Workspaces or Cloud Identity account. Provided the service is not used to collect, store, or share Protected Health Information (PHI), there is no requirement for Google Forms – or any other productivity service – to be HIPAA compliant.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, if the service is used to collect, store, or share PHI, it is necessary to make Google Forms HIPAA compliant by subscribing to an appropriate Google Workspace or Cloud Identity package, entering into a Business Associate Agreement with Google, configuring the service to comply with HIPAA, and training members of the workforce on the compliant use of Google Forms.
Select the Correct Workspace Package
Although all premium Cloud Identity packages support HIPAA compliance inasmuch as the packages include the capabilities required to comply with the technical safeguards of the Security Rule, this is not the case with all Workspace packages. There are also limits with some Workspace packages on the maximum number of licenses allowed.
Covered Entities and Business Associates may also want to consider which Workspace services they wish to use in addition to Google Forms and what security measures should be included in these services. For example, Data Loss Prevention – which prevents sensitive data being shared with external “guests” – is only included in the Workspace Enterprise package.
Sign the Business Associate Addendum
Google does not enter into Business Associate Agreements with Covered Entities, but instead offers a Business Associate Addendum for “Core Services”. Google’s Core Services include most Workspace productivity services – including Google Forms. Although anyone can review the Business Associate Addendum, only users with administrator privileges are able to electronically sign the document.
Unlike the BAA offered by some other cloud service providers, there are no contentious clauses in Google’s Business Associate Addendum. Nonetheless, Covered Entities and Business Associates should make sure they read and understand the clauses relating to Applicability and Customer Obligations, as a violation of these clauses will invalidate the Addendum.
Configure the Service to be Compliant
There are not a lot of configurations required to make Google Forms HIPAA compliant. Generally, system administrators only need to set file sharing permissions to prevent forms containing PHI being shared with external domains and set the default file visibility setting to “Private to the Owner”. It is also possible – but not necessary – to restrict form sharing between individual or Shared Drives.
Probably the biggest challenges to making Google Forms HIPAA compliant are ensuring that any other services integrated with Google Forms are also HIPAA compliant (i.e., Google Sheets), setting up Administrator Notifications for when unusual activity is detected, and creating Data Loss Prevention policies that stipulate what types of sensitive data can be shared, and with whom.
Train Users to Use Forms Compliantly
The final step to making Google Forms HIPAA compliant is to train members of the workforce on how to use Forms compliantly. In most cases, if the service has configured properly, the potential for most violations will have been eliminated. However, explaining to users why controls have been put in place may be necessary to prevent attempts to circumnavigate the controls.
Because members of the workforce may have discretion over how visible forms and folders are, as well as the editing and sharing capabilities of collaborators, it is important to alert users to the risk from phishing and to recommend that users refrain from putting PHI in the titles of forms and folders. Note: this training can be integrated into mandatory security and awareness HIPAA training.
Is Google Forms HIPAA Compliant? Conclusion
Google Forms can be HIPAA compliant if an organization subscribes to an appropriate Google Workspace or Cloud identity package, signs Google’s Business Associate Addendum, configures Google Forms to comply with the technical safeguards of the Security Rule, and trains members of the workforce on the compliant use of the service.
While the majority of Covered Entities and Business Associates may have the resources to make Google Forms HIPAA compliant without external assistance, some organizations may not. If your organization encounters challenges selecting an appropriate package, understanding the terms of Google’s Business Associate Addendum, configuring the service, or training members of the workforce, it is advisable to seek professional compliance advice.
Is Google Forms HIPAA Compliant? FAQs
Is it possible to use Google Forms via a personal Google account?
It is possible to use Google Forms via a personal account provided the service is not used to collect, store, or share PHI. If a HIPAA-covered organization wants to use Google Forms to collect, store, or share PHI, it will be necessary to use a Workspaces or Cloud Identity account with the necessary safeguards implemented and configured to comply with the HIPAA Security Rule.
Why are some Workspace packages not appropriate for sharing PHI?
Some Workspace packages are not appropriate for sharing PHI because they lack security measures such as access control management and audit logs. While these shortcomings can be overcome by subscribing to add-on services, it may be worth upgrading to a more complete package to simplify administration and save overall costs.
Does Google provide advice on making Google Forms HIPAA compliant?
Google provides advice on making Google Forms HIPAA compliant in the Google Workspace and Cloud Identity HIPAA Implementation Guide (PDF). The Guide not only covers Google Forms. It also provides advice for other Core Services, explains how to separate user access within the same domain, and describes how to integrate third party apps, systems, and databases compliantly.
What Core Services are covered by Google’s Business Associate Addendum?
The Core Service covered by Google’s Business Associate Addendum are Google Calendar, Chat, Cloud Identity Management, Drive (including Docs, Sheets, Slides, and Forms), Gmail, Google Cloud Search, Groups, Jamboard, Keep, Meet, Sites, Tasks, Vault, and Voice. Any other service provided by Google should not be used to collect, store, or share PHI.
What is the penalty for not using Google Forms in compliance with HIPAA?
The penalty for not using Google Forms in compliance with HIPAA depends on the nature of the violation and its consequences. A minor violation will likely result in an internal sanction. However, a serious violation that results in an impermissible disclosure of unsecured PHI will have to be reported to HHS’ Office for Civil Rights, who can impose a number of penalties for HIPAA violations.
