Google Sheets is a web-based spreadsheet offered by Google within its Google Drive service. It was first released in 2007. The issue of Is Google Sheets HIPAA Compliant is discussed below.
How Can Google Sheets Become HIPAA Compliant?
If you are asking yourself “Is Google Sheets HIPAA Compliant?” then the issue of how Google Sheets is regulated by HIPAA must be addressed first. HIPAA regulations require covered entities to implement safeguards that ensure the confidentiality, integrity, and availability of PHI. Covered entities often require the services of a third party to perform functions involving PHI (or electronic protected health information, which is PHI that is produced, saved, transferred, or received in an electronic form). HIPAA designates these third parties as business associates. Such functions include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.
Google Sheets is a business associate. Even though Google does not look at the information a user uploads to Google Sheets, Google has the potential to access the information, and data containing PHI is stored on its servers. These facts render Google a business associate with whom a business associate agreement is required.
Will Google Sign a BAA with HIPAA Covered Entities for Google Sheets?
Google has stated that it will enter into a business associate agreement with covered entities for certain services.
Google Sheets is part of Google’s “G Suite.” G Suite services include Google Drive, Google Sheets, Google Docs, Google Slides, and Google Forms. All of these services can be covered under a business associate agreement.
Google explains in its “Terms and Conditions” that any HIPAA covered entity or business associate of a HIPAA covered entity that wishes to use G Suite in connection with any PHI, must enter into a BAA with Google before any of its services are used in connection with PHI.
Based on the Above, Is Google Sheets HIPAA Compliant?
Since Google offers a BAA for Google Sheets (indeed, requires one), Google Sheets is HIPAA compliant. This fact, however, does not relieve covered entities of their existing HIPAA obligations. Once the BAA has been signed, the covered entity must properly and correctly use Google Sheets in a HIPAA compliant manner. This means that covered entities must (among other things) ensure only authorized personnel have access to PHI stored in Google Sheets. Additionally, covered entities should adopt measures such as passwords, automatic logoff, and two-factor authentication, to ensure Google Sheets is used in a secure manner.
