Google Cloud & HIPAA Compliance
Healthcare groups are, more and more, taking advantage of cloud platforms. The healthcare cloud computing market was valued at $4.65 billion in 2016 and is expected to rise to over $14.76 billion by 2022.
Amazon AWS is still the market standard platform with a market share of 62% according to KeyBlanc, with Microsoft Azure second on 20%, but Google is catching up, with a market share of around 12%.
Amazon and Microsoft both providing platforms that support HIPAA compliance, but what about Google? Is the Google Cloud Platform HIPAA compliant?
Will Google Complete a Business Associate Agreement in relation to its Cloud Platform?
Since the Omnibus Rule came became enforceable in September 2013, Google has been signing business associate agreements with HIPAA covered groups for G-Suite and in early 2014, Google extended its BAA to include the Google Cloud Platform.
Google’s BAA now incorporates most of its cloud services including Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud Dataproc, Genomics, BigQuery, Kubernetes Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, Cloud Pub/Sub, Cloud Translation API, Cloud Speech API, Stackdriver Logging, Stackdriver Error Reporting, Stackdriver Trace, Stackdriver Debugger, Cloud Datalab, Cloud Machine Learning Engine, Cloud Natural Language, Cloud Data Loss Prevention API, Cloud Vision API, Google App Engine, Cloud Load Balancing, Cloud VPN, and Cloud Spanner.
Additionally, in 2016, a partnership between Google and the backend-as-a-service mobile provider Kinvey saw its mBaaS available on Google Cloud. The mBaaS includes connectors to electronic health record systems to support healthcare applications.
Can the Google Cloud Platform be deemed HIPAA Compliant?
The BAA is only one obligation of HIPAA. It means that Google has had its security and data protection mechanisms reviewed and they have been found to exceed the minimum requirements of the HIPAA Security Rule. The cloud services provided by Google also meet Privacy Rule requirements, and Google is conscious of its responsibilities as a HIPAA business associate. It agrees to supply a secure and HIPAA-compliant infrastructure for the storage and processing of PHI.
However, it is up to healthcare groups to ensure that HIPAA Rules are adhered to when using the Google Cloud Platform and that their cloud-based infrastructure and applications are correctly properly and secured.
It is the responsibility of covered entities to turn off all Google services not covered by its business associate agreement, access controls must be carefully put in place, controls set up to prevent accidental data deletion, audit log export destinations must be configured, and audit logs regularly reviewed. Care must also be taken to uploading any PHI to the cloud to ensure it is properly secured and PHI is not accidentally shared with unauthorized people.
While the Google Cloud Platform can be HIPAA compliant, healthcare groups could still breach HIPAA Rules using Google’s or any other provider’s service.