Google Forms is a convenient tool for creating surveys and gaining feedback from customers, but is it suitable for use by healthcare organizations? Is Google Forms HIPAA compliant or is its use likely to be a violation of HIPAA Rules?
Before any cloud-based service can be used by HIPAA covered entities or their business associates in connection with PHI, it is first necessary to enter into a business associate agreement with the service provider. Without a business associate agreement in place, use of the service would be considered a HIPAA violation.
Google and Business Associate Agreements with HIPAA Covered Entities
Google is prepared to enter into a business associate agreement with HIPAA covered entities and their business associates and offers its own BAA in which Google provides satisfactory assurances – as required by HIPAA – that the Privacy, Security, and Breach Notification Rule requirements will be followed. The BAA does not cover all Google services, but Google Drive – of which Google Forms is part – is covered by the BAA.
Obtaining a BAA from a service provider is only one part of the requirements of HIPAA. HIPAA covered entities and their business associates should also assess the security controls in place and should conduct a risk analysis to determine risks to the confidentiality, integrity, and availability of PHI. Any risks identified must be subjected to a risk management process and reduced to an appropriate and acceptable level.
The use of any cloud-based service is potentially risky, so care should be taken to ensure that appropriate controls are in place to prevent unauthorized access and disclosures. This is explained quite clearly in Google’s HIPAA Implementation Guide.
Google explains that care should be taken configuring the privacy settings of any elements of Google Drive (Forms, Docs, Sheets, and Slides) to limit the individuals who can access the data, which also applies when inserting Google Drive content into a website.
Is Google Forms HIPAA Compliant?
No software solution can be truly HIPAA compliant, as HIPAA compliance depends on the actions of users. However, Google does support HIPAA compliance and Google Forms is covered by its business associate agreement. Therefore, Google Forms can be considered a HIPAA compliant solution that is suitable for use in healthcare.