HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Google to Sign BAA to Make its Apps HIPAA Compliant

Many healthcare organizations were unwilling to use Google Apps because under the new HIPAA regulations, Google would be required to sign a Business Associate agreement; something the internet giant has so far failed to do. Google has now agreed to remove this barrier and sign a BAA for the very first time, ensuring its Apps are fully HIPAA-compliant. This is expected to see more healthcare organizations take advantage of the services it offers.

The Health Insurance Portability and Accountability Act of 1996 requires healthcare organizations to restrict access to electronic health records and identifiable information. Healthcare organizations are accountable for any data breaches, accidental or deliberate, and the disclosure of individually identifiable health information (IIHI) and protected health information (PHI) to any unauthorized individual.

Protected information includes the names and contact details of patients, their health information, financial details relating to services received and medical insurance information.

Under HIPAA regulations, if any of this data needs to be shared with a third party in order for a service to be provided, that entity must sign a Business Associate Agreement in which the entity agrees to abide by HIPAA regulations and take the necessary precautions to protect the data. This applies to both individuals who require access to the data and software that touch the data.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Certain Google Apps potentially have access to ePHI and therefore using them would be violating HIPAA regulations if a business associate agreement had not been signed. In the case of Google Apps, the BAA it has agreed to sign covers Google Drive, Google Calendar and Gmail in addition to the Vault service that is used by these Apps to archive old data.

The BAA has been integrated into the sign up process for convenience. When signing up, an administrator of the Google App domain is required to answer three questions:

  1. Are you a Covered Entity (or Business Associate of a Covered Entity) under HIPAA?

  2. Will you be using Google Apps in connection with Protect Health Information?

  3. Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?

After responding and if appropriate, the BAA document will be created and launched using Adobe Echosign to enable digital signatures to be taken.

It is important that the BAA is read carefully and is fully understood before it is signed, and not to assume that signing this document will make the organization in question HIPAA compliant. Just because Google accepts to take the appropriate precautions, it is still essential that healthcare organizations implement further controls to protect data. Gmail may be compliant, but the actions of users can certainly cause a HIPAA violation.

HIPAA covered entities must implement further controls to ensure ePHI and IIHI is always kept secure. Passwords must be created, a two tier authentication process employed and user permissions must be set to restrict access to a need to know basis. A host of other IT security measures must also be implemented. The inclusion of these Google services also demands an update of HIPAA policies and procedures and staff training.

It is important to reiterate that only the above three Google services are covered by this new agreement, and the use of any other Google services would potentially be a HIPAA violation. This is clearly stated ion Google’s BAA. It states that all other Google services must be disabled and Gmail, Drive and Calendar are not permitted to be used with marketplace apps; these are still not permitted to be used for organizations storing PHI unless other HIPAA-compliance programs are currently in use (Cloudlock for example).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.