Google Forms is a web-based tool that anybody can utilize to make surveys and obtain the opinion of people. Is it all right for healthcare providers to utilize this tool without HIPAA rules violation?
If HIPAA covered entities or business associates would like to utilize an online service with PHI, the first requirement is a business associate agreement (BAA). Without a BAA between the HIPAA-covered entity and the service provider, utilizing the service breaks the HIPAA rules. Google is signing BAAs with HIPAA-covered entities and business associates. Google’s BAA makes sure that it reasonably complies with the HIPAA Security, Privacy and Breach Notification Rules. It does not apply to all Google services, however it applies to Google Drive including Google Forms.
Besides the BAA prerequisite, HIPAA-covered entities and business associates should likewise assess the security attributes of the product or service. It should be subject to a risk evaluation to protect PHI confidentiality, availability and integrity. Discovered risks should be diminished to a proper and reasonable level. Setting of right controls is required to avoid unauthorized access and data exposure. Google has this prerequisite sufficiently explained in its HIPAA Implementation Guide. The privacy configurations of Google Drive (which includes Slides, Forms, Docs and Sheets) should be set up appropriately to restrict users with access to the data/content saved in the Drive.
No software program is 100% HIPAA compliant considering that it is affected by the practices of tool users. Google products (including Google Forms) are HIPAA compliant and are covered by a BAA. Therefore, healthcare companies could use Google Forms as a program for data management without breaking HIPAA rules.