Business Associate Agreement (Baa) With Google

Written by

Unfor­tu­nately, the com­pany Ted was working with to set up Google Work­space didn‘t know much about HIPAA. They helped Ted sign a HIPAA BAA, but that‘s it. Too bad Ted didn‘t get our “17-​​Step Guide on Gmail and HIPAA Com­pli­ance” check­list. Cus­tomers who are sub­ject to HIPAA and wish to use Google Cloud prod­ucts in con­junc­tion with PHI must verify and accept Google‘s Trade Asso­ci­a­tion Agree­ment. Google ensures that the Google prod­ucts cov­ered by BAA meet hipaa require­ments and are based on our ISO/​IEC 27001, 27017 and 27018 cer­ti­fi­ca­tions, as well as SOC 2 reports. Admin­is­tra­tors must verify and accept a BAA before using Google ser­vices with PHI. Find out in HIPAA which Google Work­space prod­ucts can be used for HIPAA com­pli­ance. Admin­is­tra­tors must verify and accept the BAA before using Google ser­vices with PHI. Google offers a BAA for Gmail, Google Agenda, Google Drive (including docs, tables, slides and forms), Google Hang­outs (chat mes­saging fea­ture only), Hangouts-​​Chat, Hang­outs Meet, Google Keep, Google Cloud Search, Google Sites, Google Groups, Google Tasks, Jam­board, Google Vault Ser­vices and Google Cloud Iden­tity Man­age­ment. It is impor­tant to note that there is no US HHS cer­ti­fi­ca­tion for HIPAA com­pli­ance and that hipAA com­pli­ance is a shared respon­si­bility of the cus­tomer and Google. In par­tic­ular, HIPAA requires com­pli­ance with the secu­rity rule, the data pro­tec­tion rule and the vio­la­tion noti­fi­ca­tion rule. Google Cloud Plat­form sup­ports HIPAA com­pli­ance (as part of an asso­ci­a­tion busi­ness agree­ment), but ulti­mately cus­tomers are respon­sible for eval­u­ating their own HIPAA com­pli­ance. For cus­tomers with HIPAA com­pli­ance require­ments, Google offers a com­mer­cial amend­ment ser­vice (BAA).

Many com­pa­nies are making a big mis­take regarding the Google and HIPAA work­space. They think all they have to do is sign a HIPAA Busi­ness Asso­ci­a­tion (BAA) agree­ment with Google, and they sud­denly comply with HIPAA. The BAA allows com­pa­nies and listed busi­ness part­ners to enter into an agree­ment with Google that reg­u­lates the pro­cessing of PHI via Google Cloud. Sign in to an account with super-​​administrator priv­i­leges (don‘t end up in gmail​.com).

Comments are closed.