Google to Sign BAA to Make its Apps HIPAA Compliant
Share this article on:
Many healthcare organizations were unwilling to use Google Apps because under the new HIPAA regulations, Google would be required to sign a Business Associate agreement; something the internet giant has so far failed to do. Google has now agreed to remove this barrier and sign a BAA for the very first time, ensuring its Apps are fully HIPAA-compliant. This is expected to see more healthcare organizations take advantage of the services it offers.
The Health Insurance Portability and Accountability Act of 1996 requires healthcare organizations to restrict access to electronic health records and identifiable information. Healthcare organizations are accountable for any data breaches, accidental or deliberate, and the disclosure of individually identifiable health information (IIHI) and protected health information (PHI) to any unauthorized individual.
Protected information includes the names and contact details of patients, their health information, financial details relating to services received and medical insurance information.
Under HIPAA regulations, if any of this data needs to be shared with a third party in order for a service to be provided, that entity must sign a Business Associate Agreement in which the entity agrees to abide by HIPAA regulations and take the necessary precautions to protect the data. This applies to both individuals who require access to the data and software that touch the data.
Certain Google Apps potentially have access to ePHI and therefore using them would be violating HIPAA regulations if a business associate agreement had not been signed. In the case of Google Apps, the BAA it has agreed to sign covers Google Drive, Google Calendar and Gmail in addition to the Vault service that is used by these Apps to archive old data.
The BAA has been integrated into the sign up process for convenience. When signing up, an administrator of the Google App domain is required to answer three questions:
Are you a Covered Entity (or Business Associate of a Covered Entity) under HIPAA?
Will you be using Google Apps in connection with Protect Health Information?
Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?
After responding and if appropriate, the BAA document will be created and launched using Adobe Echosign to enable digital signatures to be taken.
It is important that the BAA is read carefully and is fully understood before it is signed, and not to assume that signing this document will make the organization in question HIPAA compliant. Just because Google accepts to take the appropriate precautions, it is still essential that healthcare organizations implement further controls to protect data. Gmail may be compliant, but the actions of users can certainly cause a HIPAA violation.
HIPAA covered entities must implement further controls to ensure ePHI and IIHI is always kept secure. Passwords must be created, a two tier authentication process employed and user permissions must be set to restrict access to a need to know basis. A host of other IT security measures must also be implemented. The inclusion of these Google services also demands an update of HIPAA policies and procedures and staff training.
It is important to reiterate that only the above three Google services are covered by this new agreement, and the use of any other Google services would potentially be a HIPAA violation. This is clearly stated ion Google’s BAA. It states that all other Google services must be disabled and Gmail, Drive and Calendar are not permitted to be used with marketplace apps; these are still not permitted to be used for organizations storing PHI unless other HIPAA-compliance programs are currently in use (Cloudlock for example).