Google Cloud and HIPAA Compliance

Can Google’s Cloud Platform be deemed HIPAA compliant ir can Google’s Cloud Platform ideal as an alternative to AWS and Azure for healthcare groups? 

Currently, the use of cloud platforms by healthcare groups has grown tremendously, with the value of the healthcare cloud computing market being calculated to be $4.65 billion in 2016. This figure is predicted to rise by 2022 to more than $14.76 billion.

Will Google Complete a Business Associate Agreement that covers its Cloud Platform?

The Omnibus Rule came was enacted on September 2013, and since that time, Google started completing Business Associate Agreements (BAAs) with HIPAA covered outfits for G-Suite. Consequently, Google developed its BAA to include the Google Cloud Platform.

Currently, Google’s BAA covers most of the cloud services like Cloud Storage, Computer Engine, Cloud SQL for PostgreSQL, Cloud SQL for MySQL, Container Registry, Kubernetes Engine, BigQuery, Cloud Dataproc, Cloud Translation API, Cloud Pub/Sub, Cloud Bigtable, Cloud Dataflow, Stackdriver Logging, Cloud Speech API, Genomics, Cloud Machine Learning Engine, Cloud Datalab, Stackdriver Debugger, Stackdriver Trace, Stackdriver Error Reporting, Cloud Data Loss Prevention API, Cloud Natural Language, Cloud Load Balancing, Google App Engine, Cloud Vision API, Cloud Spanner and Cloud VPN.

In 2016, Google worked with the backend mobile service provider Kinvey, subsequently resulting in the availability of mBaaS on Google Cloud. Connectors to electronic health record systems that support healthcare apps are linked to mBaaS.

Is the Google Cloud Platform HIPAA Complaint?

Since Google will complete a BAA with all HIPAA covered outfits, does this mean that its Google Cloud Platform is defined as HIPAA compliant?

HIPAA has one overarching demand, and that is the BAA. It usually means that the data and security protection mechanisms of Google have been reviewed and found to have surpassed the minimum requirement of the HIPAA Security Rule. Most of the healthcare industries are using HIPAA for patient onboarding & document signing with HIPAA compliant eSignatures solution.

This also means that the cloud services Google provides meet the Privacy Rule requirements, and Google is aware of its responsibilities as HIPAA’s business associate. Due to this, it agrees to provide HIPAA-compliant and secure infrastructure for the processing and storage of Personal Health Information (PHI).

Nonetheless, it is the responsibility of healthcare establishments to adhere to all the HIPAA rules when using the Google Cloud Platform. Likewise, they should see to it that their cloud-based applications and infrastructure are set up and secured correctly.

The covered entities are given the duty to turn off any Google services which the business associate agreement does not include, managing the set up to avoid accidental deletion of data, ensure access controls are implemented carefully, audit logs are checked constantly and all audit log export destinations are set. Moreover, care must be taken when uploading any PHI to the cloud to secure it is adequately, plus the PHI is not shared with unauthorized persons by mistake.