Recently, Google announced that it would be willing to sign HIPAA Business Associate agreements (BAA) for organizations required to have such agreements for regulatory compliance. This is a breakthrough for industries that are accountable for the safe and secure storage of ePHI (electronic protected health information) and PII (personally identifiable information). Now HIPAA covered entities (CE) and business associates (BA) of all sizes using Google Apps as a business tool can have the additional assurance afforded by the individual BAA’s. This also means that Google will be assuming responsibility for the safety and security of the business data stored through the Google Apps.
What Apps are being covered in the HIPAA Business Associate Agreement?
The HIPAA BAA’s will cover the three most used Google Apps (Calendar, Drive (Google docs) and Gmail). The BAA terms mention that “other Google services or third party Marketplace Apps should not be used in connections with PHI. This agreement requires that you disable all additional services in the admin console.” Though the agreement does not cover third party applications, all pertinent applications are covered with the addition of Google Vault.
The biggest point to be taken here is Google’s proactive adoption of the regulatory compliance laws and recognizing that the adoption of their products have been hindered by not working within the framework of requirements set forth by HIPAA / HITECH. After years of consideration, now they have broken down a major barrier in one of the largest industries (healthcare) worldwide. Since Google is willing to accept responsibility for the data entrusted to them via their cloud security in Google Apps, the entire healthcare field is now seemingly open for the adoption of the Google Apps Suite.
What are the Google BAA compliance ramifications?
“We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable Terms of Service, including investigation of potential violations.
- detect, prevent, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”
Google also uses functions within Google+ and Gmail to forecast market trends and passes that information along to partner companies for marketing and advertising efforts. It is stated that “We may share aggregated, non-personally identifiable information publicly and with our partners – like publishers, advertisers or connected sites. For example, we may share information publicly to show trends about the general use of our services.” If there happens to be any information shared about demographics dealing with medical variables (I have had cancer, etc.), or protected health information, then they will be in strict violation of HIPAA compliance.
Google uses our information to help select ads to be displayed to the user and to adapt our searches to the best possible results. This works wonderfully when we are looking for a particular product or a place to eat. This is NOT A SAFE PRACTICE when it comes to the proper handling of ePHI AND PII!
If you would like to learn more about this topic, or have questions or concerns regarding your organization’s HIPAA Compliance or Security Management Program, please CONTACT US today to speak with one of our Security and Compliance Experts.
Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!