Is the Google Cloud Platform HIPAA Compliant?

Google and its products are ubiquitous and are extensively used by healthcare organizations, but is the Google Cloud platform HIPAA compliant?

Healthcare was already on a steady path to digitization, but with the COVID-19 pandemic and shift to remote working, healthcare companies were forced to accelerate their digital transformation plans. The healthcare cloud market has been estimated to be worth $90 billion by 2027. Whilst Amazon’s AWS and Microsoft Azure are the market leaders, Google currently has around 10% of the market share for cloud computing technologies. But is the Google Cloud platform HIPAA compliant? Can it be used by healthcare organizations in connection with ePHI?

To ensure HIPAA compliance, all covered entities must enter into a business associate agreement (BAA) with vendors whose products or services involve contact with ePHI. When the HIPAA Omnibus Rule was finalized in 2013, Google began signing BAAs with CEs for its G Suite products. Since 2014, it has included its cloud computing platforms in the agreements.

The products now covered by the Google BAA include Container Registry, Cloud Dataflow, Cloud Bigtable, Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud Dataproc, Stackdriver Trace, Stackdriver Debugger, Cloud Datalab, Cloud Machine Learning Engine, Genomics, BigQuery, Kubernetes Engine, Cloud Pub/Sub, Cloud Translation API, Cloud Speech API, Stackdriver Logging, Data Loss Prevention API, Cloud Vision API, Google App Engine, Cloud Load Balancing, Cloud VPN, Cloud Spanner, Stackdriver Error Reporting, and Cloud Natural Language.

In 2016, Google entered a partnership with Kinvey, a mobile backend-as-a-service (mBaaS) provider. The partnership resulted in the launch of a HIPAA-compliant mBaaS on Google’s Cloud Platform.

A BAA alone does not guarantee HIPAA compliance. Google’s services have been assessed and were found to surpass the standards established by the HIPAA Security Rule and Privacy Rule, Google is also aware of its duty to its customers, and guarantees that the products covered by the BAA are HIPAA-compliant.  It also regularly audits its products to ensure continued compliance.

CEs must not use Google products that are not covered by the BAA in connection with any ePHI, and they must ensure the security controls provided by Google are applied and configured correctly. Misconfigurations could lead to accidental data deletion or access by unauthorized individuals, which would violate HIPAA.

Is the Google Cloud Platform HIPAA Compliant?

Google’s Cloud Computing Platform has every possibility of being HIPAA-compliant, but ultimately, the responsibility for HIPAA compliance lies with each CE.