Is Google Forms HIPAA Compliant?


The question ‘is Google Forms HIPAA compliant and suitable for use by healthcare organizations?’ is extremely important as this is a very popular survey administration tool that allows users to create to be create form for data collection purposes. Typically is is used for surveys, event registrations and information collection via internal or public-facing web pages.

There are many different ways to implements Google Forms in relation to areas governed by HIPAA Rules so it is possible for the service to be implemented by healthcare outfits without any fear of breaching HIPAA Rules. However, if Google Forms is implemented for gathering, or in relation to any aspect of, protected health information (PHI) Google would be classified as a business associate and HIPAA would be applicable.

Prior to the use of any software application for PHI, healthcare groups must see to it that security measures have been implemented to ensure the confidentiality, integrity, and availability of any protected health information that is created, received, stored, maintained, or shared using this software.

The software developer must provide specific assurance to the user that the application in question adheres to HIPAA Rules. This is put in place by the completion of a HIPAA-compliant business associate agreement with the HIPAA-covered entity. The business associate agreement lists the obligations of the developer in relation to protected health information and HIPAA.

Google is willing to complete business associate agreements with HIPAA-covered entities and a large number of its software solutions and services are included in its BAA. However it does not include every product and service.

Due to the fact that Google Forms is part of Google Drive, which is covered by Google’s BAA, the solution can be thought of as HIPAA compliant. This is dependent on a healthcare organization completing a signed BAA with Google that incorporates Google Drive and Google Forms, the solution can be used in connection with ePHI without breaching HIPAA Rules. Due to this Google Forms to be classified as HIPAA Compliant.

However, it is important to remember that no service will ever be truly 100% HIPAA compliant as it is dependent on the user. HIPAA Rules can be breached, with Google Forms, even with a BAA being completed between all parties.

It is important to remember that for Google FOrm, as is the case with all software and cloud-based solutions, access should be limited to authorized users, any data gathered, processed, stored, or shared through the solution must be fully secured at all times, audit controls must be implemented, and logs must be created and checked on an ongoing basis for unauthorized access.  Provided Google Forms is properly set up, and all measures are implemented to ensure it is used in a HIPAA-compliant manner, the solution is perfectly ok for use by healthcare organizations.