Google Sheets & HIPAA Compliance
Under HIPAA Regulation, healthcare groups must put in place safeguards to guarantee the confidentiality, integrity, and availability of PHI. While it is straightforward to adapt controls internally to keep data secure, sometimes third parties are contracted to provide services that require access to PHI. They too must adhere to HIPAA Rules covering privacy, security, and breach alerts.
A third-party that needs access to PHI – or duplicates of health data – to carry out services on behalf of a covered entity is referred to as a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to adhere with certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules. Without a business associate agreement in existence, any sharing of PHI would be referred to as a HIPAA violation.
While Google does not look at the data uploaded to Google Sheets, since Google will be able access the information, and data is stored on its servers, a business associate agreement would be mandatory.
Google wants to to protect the privacy of its customers’ data and ensuring all of its services are secure and data can always be obtained. Google is aware of the requirements of the Health Insurance Portability and Accountability Act and the firm is ready to enter into a business associate agreement with HIPAA covered entities for certain specific services.
Google provides a BAA for use with G Suite, which includes Google Drive. Google Sheets, Google Docs, Google Slides, and Google Forms are all part of Google Drive and are listed and made provision for in the BAA.
Google states in its terms and conditions that any HIPAA covered entity or business associate of a HIPAA covered entity that hopes to use G Suite in connection with any PHI must enter into a BAA with Google prior to its services are used in connection with PHI.
As Google provides and will sign a BAA, is Google Sheets HIPAA compliant? Google can be referred to as a HIPAA compliant service provider as Google supports HIPAA compliance for G Suite Basic, G Suite for Education, G Suite Business, and G Suite Enterprise domains and will enter into a BAA with healthcare customers.
Once a BAA has been completed, it is the responsibility of the covered group or business associate to see to it that Google Sheets and all other Google Drive and G Suite products and services are used properly and in a manner that does not breach HIPAA Regulations.