Can Google Sheets be used in line with HIPAA Rules?
Under HIPAA Rules, healthcare groups must put in place security measures to ensure the confidentiality, integrity, and availability of PHI. While it is easy to adapt controls internally to keep data secure, oftentimes third parties are hired to provide services that require access to PHI. They too must adhere to HIPAA Rules covering privacy, security, and breach notifications.
A third-party that needs to view PHI – or copies of health data – to complete services on behalf of a covered group is referred to as a business associate. A covered group and business associate must fill out a business associate agreement – in which the business associate agrees to adhere with specific parts of the HIPAA Privacy, Security, and Breach Notification Rules. Without a business associate agreement present, any sharing of PHI would be considered a HIPAA breach in every instance.
While Google does not review the data uploaded to Google Sheets, as Google can potentially access the details, and data is stored on its servers, a business associate agreement would be obligatory.
Will Google Fill Out a BAA with HIPAA Covered Groups for Google Sheets?
Google is dedicated to securing the privacy of its customers’ data and ensuring all of its services are secure and data can always be obtained. Google is conscious of the requirements of the Health Insurance Portability and Accountability Act and the firm is ready to complete a business associate agreement with HIPAA covered groups for certain services.
Google provides a BAA for G Suite, which incorporates Google Drive. Google Sheets, Google Docs, Google Slides, and Google Forms are all part of Google Drive and are taken into account in the BAA.
Google outlines in its terms and conditions that any HIPAA covered group or business associate of a HIPAA covered group that seeks to use G Suite in connection with any PHI must complete a BAA with Google before any of its services are used for managing PHI.
So can Google Sheets be Considered HIPAA Compliant?
Due to the fact that Google offers a BAA, is Google Sheets HIPAA compliant? Google can be considered a HIPAA compliant service provider as Google allows HIPAA compliance for G Suite Basic, G Suite for Education, G Suite Business, and G Suite Enterprise domains and will complete a BAA where necessary for HIPAA requirements.
Once a BAA has been completed with Google, it is the responsibility of the covered group or business associate to ensure that Google Sheets and all other Google Drive and G Suite products and services are used in line with HIPAA Rules.