Getting HIPAA Compliant in Google Cloud Platform
Is Google’s Cloud Platform HIPAA compliant? Likewise, is Google’s Cloud Platform ideal as an alternative to AWS and Azure for healthcare organizations? In this post, we are going to determine if Google’s Cloud Platform is HIPAA compliant, plus whether healthcare organizations can make use of it to host infrastructure, build applications and store files that contain protected health information.
Presently, the use of cloud platforms by healthcare organizations has increased tremendously, with the value of the healthcare cloud computing market being estimated to be $4.65 billion in 2016. This figure is expected to increase by 2022 to more than $14.76 billion.
Will Google Sign a Business Associate Agreement that covers its Cloud Platform?
The Omnibus Rule came into effect on September 2013, and ever since, Google started signing Business Associate Agreements (BAAs) with HIPAA covered entities for G-Suite. Consequently, Google expanded its BAA to include the Google Cloud Platform.
Currently, Google’s BAA covers majority of the cloud services such as Cloud Storage, Computer Engine, Cloud SQL for PostgreSQL, Cloud SQL for MySQL, Container Registry, Kubernetes Engine, BigQuery, Cloud Dataproc, Cloud Translation API, Cloud Pub/Sub, Cloud Bigtable, Cloud Dataflow, Stackdriver Logging, Cloud Speech API, Genomics, Cloud Machine Learning Engine, Cloud Datalab, Stackdriver Debugger, Stackdriver Trace, Stackdriver Error Reporting, Cloud Data Loss Prevention API, Cloud Natural Language, Cloud Load Balancing, Google App Engine, Cloud Vision API, Cloud Spanner and Cloud VPN.
In 2016, Google partnered with the backend mobile service provider Kinvey, subsequently leading to the availability of mBaaS on Google Cloud. Connectors to electronic health record systems that support healthcare apps are integrated into mBaaS.
Is the Google Cloud Platform HIPAA Complaint?
Since Google will sign a BAA with all HIPAA covered entities, does this mean that its Google Cloud Platform is HIPAA compliant?
HIPAA has one overarching requirement, and that is the BAA. It usually means that the data and security protection mechanisms of Google have been assessed and deemed to have surpassed the minimum requirement of the HIPAA Security Rule. Additionally, it means the cloud services Google offers meet the Privacy Rule requirements, and Google understands its responsibilities as HIPAA’s business associate. Thus, it agrees to offer HIPAA-compliant and secure infrastructure for the processing and storage of Personal Health Information (PHI).
Nevertheless, it is the mandate of the healthcare establishments to safeguard all the HIPAA rules when using the Google Cloud Platform are being followed. Likewise, they should ensure their cloud-based applications and infrastructure are configured and secured correctly.
The covered entities are given the duty to disable any Google services which the business associate agreement does not cover, control the set up to avoid accidental deletion of data, ensure access controls are implemented carefully, audit logs are checked regularly and all audit log export destinations are set. Moreover, care must be taken when uploading any PHI to the cloud to safeguard it is adequately secured, plus the PHI is not shared with unauthorized persons accidentally.