The question ‘are Google Forms HIPAA compliant and suitable for use by healthcare organizations?’ is important when the Workspaces service is used to collect, store, or share Protected Health Information.
Google Forms is a popular survey tool that allows users to create forms for data collection purposes and then export the data for analysis. Typically, Google Forms are used for surveys, event registrations, and information collection via internal or public-facing web pages.
When used for these purposes by healthcare organizations, Google Forms does not have to be HIPAA compliant provided that no information is disclosed relating to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment.
However, when used to collect, store, or share Protected Health Information, healthcare organizations have to make Google Forms HIPAA compliant and enter into a Business Associate Agreement with Google as Google will have “persistent access” to the PHI.
How to Make Google Forms HIPAA Compliant
Two things are required to make Google Forms HIPAA compliant. The first is a subscription to a business or enterprise Workspace account that includes the capabilities to ensure the confidentiality, integrity, and availability of electronic PHI.
The second thing required to make Google Forms HIPAA compliant is the configuration of the capabilities to ensure correct permissions and restrictions are applied. Depending on the capabilities of the account, this may also include applying data loss prevention policies.
If it is impractical to subscribe to an enterprise account (i.e., because it includes more features than the healthcare organization will use), it is also possible to integrate Google Forms with third party collaboration and productivity services – provided the third party services are also configured to comply with HIPAA and a Business Associate Agreement is signed with the service provider.
Google’s Business Associate Agreement
Like most other major Cloud Service Providers, Google will not sign individual Covered Entities’ Business Associate Agreements. This is because it Google provides standard cloud services to all customers – regardless of their HIPAA status – via multi-tenanted servers.
Instead, Google provides a one-size-fits-all Business Associate Addendum covering “core services”. The core services covered by Google’s Business Associate Addendum include most of the service in Workspace packages – including Google Forms, Sheets, Docs, and Slides.
Before signing Google’s Business Associate Addendum, Covered Entities are advised to double-check that any other services they wish to use in addition to Google Forms are covered by the agreement, and that they agree with all the clauses of the Addendum (especially the Applicability and Customer Responsibilities clauses) to avoid inadvertent violations that would invalid the agreement.
Don’t Overlook Workforce Training
The final stage of making Google Forms HIPAA compliant is to ensure the service is used compliantly. This will involve adding training on how to use Google Forms in compliance with HIPAA to existing mandatory security and awareness HIPAA training.
The content of training on how to use Google Forms in compliance with HIPAA will vary according to how the controls have been configured. Therefore, it may not be necessary to warn users about sharing and editing permissions – although it is recommended users are told not to include PHI in the titles of Google Forms or in the title of Google Sheets if exporting data for analysis.
Generally, making Google Forms HIPAA compliant is not too complicated. However, if you are unsure of which Workspaces package to subscribe to, how to configure the capabilities, or how to train members of the workforce on the compliant use of Google Forms, it is recommended you seek professional compliance help.