Guide to HIPAA Compliance with Google Apps
HIPAA compliance is nothing new, but the way this information is stored, accessed, and shared is rapidly evolving. It wasn't long ago that most health records were stored on clipboards and file folders adorning the walls of doctor's offices, labs, hospitals, and the like. This setup still isn't completely uncommon, but since the early 2000s, there's been a sweeping trend to enter this info in software and store it electronically.
HIPAA & The Cloud
Early on, these systems were on-premise systems, installed locally and managed internally. As technology has progressed, many health organizations are now choosing to outsource it all and go with cloud-based (or Internet based) software. Cloud-based software brings many benefits -- low upfront costs, increased reliability, better features, and scalability -- but it also introduces a 3rd party in the management of protected health information (PHI).
In order to ensure that PHI is safeguarded, the HIPAA rules require that you establish a Business Associate Agreement (BAA) with certain 3rd parties who are exposed to PHI. It's been previously debated whether or not cloud software providers fall into this category, but the recent Omnibus rule, passed in Jan 2013, has expanded the definition of a business associate:
We have modified the definition of „business associate„ to generally provide that a business associate includes a person who „creates, receives, maintains, or transmits„ [emphasis added] protected health information on behalf of a covered entity.
There's still some ambiguity here, but with the addition of „maintains,„ it's safe to assume that the vast majority of cloud software providers fall into this definition, and are thus required to maintain strict HIPAA compliance. This also means that you, the Covered Entity, must only use cloud software providers that sign BAAs.
HIPAA Compliance with Google Apps
„Security First„ has been a Google motto since the early days of Google Apps. In this effort they've been proactive about achieving security certifications such as FISMA, ISO 27001, and SSAE 16. As of September, 2013, Google Apps now provides BAAs for organizations on the Business, Education, and Government editions (note: standard or „free„ editions currently cannot obtain a BAA from Google). To further understand how Google Apps handles security and privacy, you can reference this section of the help center.
Getting Your BAA from Google
It's important to understand, that the BAA does not cover all applications. The Google BAA covers the following core services:
- Vault (add on service)
Other Google Apps applications, such as Picasa and Blogger, and 3rd party Google Apps Marketplace applications are not covered by this agreement and must be disabled.
In order to request a BAA from Google, you need to do the following:
- Have Administrator permission on Google Apps admin console
- Answer the initial questionnaire, located here
- Read and electronically sign the online BAA
Typically after submission, you'll get an email response back within 15 - 20 days. It will include more details about your request and as well as documentation related to the HIPAA compliance process.