Many healthcare organizations today use cloud platforms like Azure and AWS. In fact, the value of the healthcare cloud computing market was determined to be $4.65 billion in 2016 and would likely rise to over $14.76 billion by 2022. According to KeyBlanc, Amazon AWS is the leading cloud platform with a 62% market share, followed by Microsoft Azure with 20% market share. Both platforms offer support for HIPAA compliance. Google Cloud currently has a 12% market share but is it HIPAA compliant? Can the Google Cloud platform be used as an alternative tool for building applications, hosting infrastructure and storing files with protected health information?
When the implementation of the Omnibus Rule began in September 2013, Google also began signing business associate agreements with HIPAA covered entities. Initially, Google signed BAAs for G-Suite in 2014 and extended it to include Google Cloud. Now, Google signs BAAs for the following services:
- Compute Engine
- Cloud Storage
- Cloud SQL for PostgreSQL
- Cloud SQL for MySQL
- Kubernetes Engine
- Cloud Dataproc
- Genomics, BigQuery
- Container Registry
- Cloud Bigtable
- Cloud Dataflow
- Cloud Pub/Sub
- Cloud Speech API
- Cloud Translation API
- Stackdriver Logging
- Stackdriver Trace
- Stackdriver Error Reporting
- Stackdriver Debugger
- Cloud Natural Language
- Cloud Datalab
- Cloud Vision API
- Cloud Machine Learning Engine
- Cloud Data Loss Prevention API
- Google App Engine
- Cloud VPN
- Cloud Load Balancing
- Cloud Spanner
In 2016, Google also partnered with mobile provider Kinvey and made its mBaaS available on Google Cloud. The mBaaS uses connectors to electronic health record systems to support healthcare apps.
Signing a BAA doesn’t automatically mean that Google Cloud is HIPAA compliant. It’s only one requirement of HIPAA compliance. However, it’s very important because it signifies that Google’s security and data protection mechanisms were assessed and found to comply with the minimum requirements of the HIPAA Security Rule.
Google Cloud also meets the Privacy Rule requirements. Google is aware of its obligations as a HIPAA business associate. It agrees to offer a safe and HIPAA-compliant infrastructure so that HIPAA covered entities can use Google Cloud for storage and processing of PHI.
Still, it must be understood that healthcare organizations are responsible for ensuring that they follow HIPAA Rules when using the Google Cloud Platform. They need to configure correctly their cloud-based infrastructure and applications to be totally secure.
Covered entities are responsible to disable other Google services not covered by its business associate agreement. There must be appropriate access controls and controls that prevent accidental data deletion. Audit logs export destinations must be configured properly and audit logs must be checked regularly. When uploading any PHI to the cloud, the entity must ensure it is secured and not accidentally shared with unauthorized persons.
Google Cloud satisfies the requirements of HIPAA. Now it is up to the healthcare organization to make sure that its use of Google Cloud remains secure and compliant with HIPAA Rules.