Companies enter into agreements with Google for use of various Google products, including G Suite, G Suite for Education, and G Suite for Government. These agreements govern the terms of use – what users may and may not use these applications for. For its G Suite, G Suite for Education, and G Suite for Government products, Google also provides a separate business associate agreement (BAA). This agreement, which Google enters into with HIPAA covered entities, obligates Google to take appropriate safeguards to safeguard protected health information (PHI). Since the business associate agreement is itself an amendment to the “regular” agreement between Google and a provider, Google refers to the business associate agreement as a HIPAA Business Associate Amendment. The features of a HIPAA business associate amendment are discussed below.
What are a Covered Entity’s Obligations under the HIPAA Business Associate Amendment?
Since the term “HIPAA Business Associate Amendment” is simply another name for “Business Associate Agreement,” a provider’s rights and responsibilities under the HIPAA business associate amendment are the same as those under a regular business associate agreement.
Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.
For Google to enter into a HIPAA business associate amendment with a provider, that provider must first have an existing agreement in place with Google. Once the agreement is in place, Google will enter into the amendment, provided that a provider represents:
◈ That the provider, through whomever signs the agreement (i.e., CEO, CIO, COO), has the authority to bind the business to the terms of the agreement;
◈ That the provider has read and understood the terms of the business associate amendment; and
◈ The provider agrees to the terms of the agreement.
If (and only if) a provider agrees to these terms, Google will enter into the business associate amendment.
The business associate amendment requires that a provider cannot request Google use or disclose PHI in any manner that would not be permissible under HIPAA, if done by a covered entity itself (unless otherwise expressly permitted under HIPAA for a Business Associate).
In addition, the provider must make use of the available security controls provided by Google. Finally, the agreement requires that the provider not transfer PHI from one Google product to another, except when Google has expressly entered into a separate HIPAA business associate agreement for use of such Google services.
In turn, Google may only use and disclose PHI as permitted under HIPAA, and as outlined in the main agreement and the business associate amendment. Google may also, as permitted by HIPAA, use and disclose PHI for the proper management and administration of Google’s business and to carry out the legal responsibilities of Google. Google will only use or disclose PHI for these purposes:
◈ Required by law; or
◈ If Google obtains written reasonable assurances from the person to whom the PHI will be disclosed that the PHI will be held in confidence, used only for the purpose for which it was disclosed, and that Google will be notified of any breach.