Google Cloud Platform (GCP) is a set of physical assets, such as computers and hard disk drives, and virtual resources, such as virtual machines (VMs), contained in Google’s data centers around the globe within various regions and zones. Google Cloud also provides services that emulate the physical hardware and software products that can be resources for users.
Many businesses have embraced Google Cloud because of its convenience and reliability. But healthcare practices and the business associates supporting them need to know: Is Google Cloud HIPAA Compliant?
What Makes a Software Tool HIPAA Compliant?
Regarding software, there are specific indications of the tool’s HIPAA compliance. Software HIPAA compliance boils down to two things. Does the tool have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the tool is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate proper uses and disclosures of PHI.
Physical safeguards like locks and alarm systems protect an organization’s physical location.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are essential, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. You should expect technical safeguards to include encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a vital determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant is they will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. A BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held responsible.
Is Google Cloud HIPAA Compliant?
Google has an entire webpage devoted to HIPAA Compliance on the Google Cloud Platform. The page states that Google does offer a BAA to users and lists the security and technical standards of the platform. The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence), and the 117 services listed at the end of this article.
Based on the fact that GCP’s technical and security standards appear to meet the requirements of HIPAA and because Google does offer a BAA to GCP users, Google Cloud Platform seems to be HIPAA compliant.
Google Cloud Services in Scope for HIPAA
- Access Approval
- Access Context Manager
- Access Transparency
- Apigee
- Apigee Hybrid
- AI Platform Training and Prediction
- Anthos Config Management
- Anthos Service Mesh
- API Gateway
- App Engine
- Artifact Registry
- Assured Workloads
- Bare Metal Solution
- Cloud Asset Inventory
- Binary Authorization
- Cloud AI Notebooks
- Cloud Armor
- Cloud AutoML Natural Language
- Cloud AutoML Tables
- Cloud AutoML Translation
- Cloud AutoML Video
- Cloud AutoML Vision
- BigQuery
- BigQuery Data Transfer Service
- Cloud Bigtable
- Cloud Build
- Cloud CDN
- Cloud Console
- Cloud Composer
- Cloud Data Fusion
- Cloud Data Labeling Service
- Cloud Data Loss Prevention
- Cloud Dataflow
- Cloud Datalab
- Cloud Dataproc
- Cloud Datastore
- Cloud Debugger
- Cloud Deployment Manager
- Cloud DNS
- Cloud Endpoints
- Cloud Error Reporting
- Cloud Filestore
- Cloud Firestore
- Cloud Functions
- Cloud Healthcare API
- Cloud HSM
- Cloud Identity
- Cloud Identity and Access Management
- Cloud Identity-Aware Proxy
- Cloud IDS
- Cloud Interconnect
- Cloud IoT Core
- Cloud Key Management Service
- Cloud Life Sciences (formerly Google Genomics)
- Cloud Load Balancing
- Cloud Logging
- Cloud Memorystore
- Cloud Monitoring
- Cloud Natural Language API
- Cloud NAT
- Cloud Profiler
- Cloud Pub/Sub
- Cloud Resource Manager
- Cloud Router
- Cloud Run (fully managed)
- Cloud Run for Anthos
- Cloud Scheduler
- Cloud Shell
- Cloud Source Repositories
- Cloud Spanner
- Cloud Speech API
- Cloud SQL
- Cloud Service Consumer Management API
- Cloud Storage
- Cloud Storage Transfer Service
- Cloud Tasks
- Cloud Trace
- Cloud Translation API
- Cloud Text-to-Speech
- Cloud Video Intelligence API
- Cloud Vision API
- Cloud VPN
- Compute Engine
- Connect
- Contact Center AI
- Container Registry
- Database Migration Service
- Datastream
- Data Catalog
- Dialogflow
- Document AI
- Eventarc
- Google Cloud App
- Google Cloud VMware Engine (GCVE)
- Google Data Studio
- Google Service Control
- Google Service Management
- Hub
- Identity Platform
- Key Access Justifications (KAJ)
- Kubernetes Engine
- Managed Service for Microsoft Active Directory (AD)
- Network Service Tiers
- Persistent Disk
- Risk Manager
- reCAPTCHA Enterprise
- Secret Manager
- Security Command Center
- Service Directory
- Traffic Director
- Transfer Appliance Service
- Vertex AI (formerly AI Platform)
- Virtual Private Cloud (VPC)
- VPC Service Controls
- Web Security Scanner
- Workflows
- Google Data Studio
