Google Forms is a handy tool for creating surveys and gaining comments from customers, but is it suitable for use by healthcare groups? Are Google Forms HIPAA compliant or will its usebe a breach of HIPAA Rules?
Prior to any cloud-based service can be used by HIPAA covered groups or their business associates in connection with PHI, it is first necessary to complete a business associate agreement with the service supplier. Without a business associate agreement completed, use of the service would be thought of as a HIPAA violation.
Google is prepared to complete a business associate agreement with HIPAA covered entities and their business associates and provides its own BAA in which Google provides satisfactory assurances – as is necessary under HIPAA – that the Privacy, Security, and Breach Notification Rule requirements will be complied with. The BAA does not include all Google services, but Google Drive – of which Google Forms is part – is included in the BAA.
Completing a BAA with a service provider is only one part of the requirements of HIPAA. HIPAA covered groups and their business associates should also assess the security controls in place and should complete a risk analysis to determine risks to the confidentiality, integrity, and availability of PHI. Any risks discovered must be subjected to a risk management process and reduced to an appropriate and acceptable level.
Implementing any cloud-based service is potentially dangerous, so care should be taken to ensure that appropriate controls are in place to prevent unauthorized access and disclosures. This is outlined quite clearly in Google’s HIPAA Implementation Guide.
Google explains that care should be taken setting up the privacy settings of any elements of Google Drive (Forms, Docs, Sheets, and Slides) to limit the people who can access the data, which also applies when inserting Google Drive content into a website.
No software solution can be completely HIPAA compliant, as HIPAA compliance depends on what the users does. However, Google does conform with HIPAA compliance and Google Forms is included in its business associate agreement. Therefore, Google Forms can be thought of as a HIPAA compliant solution that is suitable for use in the healthcare sector.