I'm trying to understand the implications of Google's announcement that its cloud services are now HIPAA compliant...
under the new Omnibus Rule. Does that mean organizations can offload HIPAA-relevant data to Google and no longer have to worry about compliance?
Google announced that some of its cloud services -- including Google Apps Vault, Gmail, Google Calendar, Google Drive and Google Docs -- are now HIPAA-compliant and may be used by HIPAA covered entities and business associates for the storage, processing and transmission of electronic protected health information (ePHI). If a company intends to follow this route, there are a few things that it should keep in mind.
First, choosing a HIPAA-compliant service provider does not automatically make a company HIPAA compliant. Google's assertion is that their services may be used in a HIPAA-compliant environment. Enterprises still need to develop and implement their own HIPAA compliance program and ensure that all of their activities meet HIPAA requirements.
Second, if your company chooses to use Google services for ePHI, it must enter into a Business Associate Agreement (BAA) with Google. This is a HIPAA requirement and, if it's not done, the company will not be compliant with HIPAA. To enter into a BAA, submit a request to Google using an administrator account for a Google Apps for Business, Education or Government domain.
Finally, Google will only sign BAAs covering certain Google services. Either disable other services or ensure that they will not be used for ePHI. This is your organization's responsibility. The services covered by Google BAAs include the HIPAA-compliant Gmail, Google Calendar, Google Drive/Docs and Google Apps Vault.
Ask the author:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
For more advice on staying HIPAA-compliant in the cloud, see this article.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.