Many healthcare groups were unwilling to implement the use Google Apps because under the new HIPAA rules, Google would have to sign a Business Associate agreement; something the internet giant had not completed.
Google has now agreed to remove this obstacle and sign a BAA for the very first time, ensuring its Apps are adhering with HIPAA. This should see more healthcare organizations take advantage of the Google services.
The Health Insurance Portability and Accountability Act of 1996 requires healthcare organizations to control access to electronic health records and identifiable data. Healthcare organizations are responsible for any data breaches, accidental or deliberate, and the disclosure of individually identifiable health information (IIHI) and protected health information (PHI) to any unauthorized person.
Protected information includes the names and contact information of patients, their health information, financial details relating to services received and medical insurance data.
Under HIPAA regulations, if any of this data has be shared with a third party in order for a service to be supplied, that body must sign a Business Associate Agreement in which the entity agrees to adhere with HIPAA regulations and take the necessary precautions to protect the data. This applies to both people who require access to the data and software that touch the data.
Certain Google Apps potentially have access to ePHI and therefore using them would be breaching HIPAA regulations if a business associate agreement had not been signed. In the case of Google Apps, the BAA it has agreed to sign covers Google Drive, Google Calendar and Gmail along with the Vault service that is used by these Apps to archive old data.
The BAA has been integrated into the registration process to make things more simple. When registering, an administrator of the Google App domain is required to answer three questions:
Are you a Covered Body (or Business Associate of a Covered Entity) under HIPAA?
Will you be using Google Apps in conjunction with Protect Health Information?
Are you authorized to ask for and agree to a Business Associate Agreement with Google for your Google Apps domain?
After responding and if proper, the BAA document will be created and launched using Adobe Echosign to allow digital signatures to be recorded.
It is important that the BAA is carefully reviewed and is fully understood before it is signed, and not to assume that signing this document will make the organization in question HIPAA compliant. Just because Google accepts to take the proper precautions, it is still important that healthcare organizations implement further controls to protect data. Gmail may be compliant, but the actions of users can certainly cause a HIPAA breach.
HIPAA covered bodies must put in place further security measures to ensure ePHI and IIHI is always kept secure. Passwords must be created, a two tier authentication process used and user permissions must be set to control access on a need to know basis. A host of other IT security measures must also be implemented. The inclusion of these Google services also requires an update of HIPAA policies and procedures and staff training.
It is vital to reiterate that only the aforementioned three Google services are covered by this new agreement, and the use of any other Google services would possibly be a HIPAA breach. This is explicitly stated ion Google’s BAA. It says that all other Google services must be disabled and Gmail, Drive and Calendar are not allowed to be used with marketplace apps; these are still not permitted to be used for organizations storing PHI unless other HIPAA-compliance programs are are in use at the same time. (Cloudlock for example).