Google Sheets is a service for creating, viewing and sharing spreadsheets provided by Google. Is it all right for HIPAA-covered entities to use Google Sheets in conjunction with identifiable protected health information? Does it constitute violating the HIPAA rules?
As per the HIPAA Rules, healthcare organizations need to protect the confidentiality, availability and integrity of PHI. Using internal organization controls to secure data is pretty simple. But if third party services are contracted and they are given access to PHI, strict observance of HIPAA Rules on security, privacy and breach notifications is necessary.
Third-parties that require PHI access to fulfill the job on behalf of HIPAA-covered entities are considered as a business associate. A business associate ought to comply with the HIPAA Security, Privacy and Breach Notification Rules, which is specified in an agreement termed as business associate agreement (BAA). The business associate should enter into a BAA first before being given access to PHI. If not, the covered entity and the business associate violate the HIPAA rules.
Even though Google doesn’t access the information (including PHI) generated using Google Sheets, Google still needs to sign a BAA since the PHI is saved on the servers of Google and could be potentially viewed. Google is aware of the requirements of the Health Insurance Portability and Accountability Act with respect to protecting health data privacy. Thus, it made sure that all data are secured in its services. It is similarly willing to sign an agreement with HIPAA covered entities using G Suite. G Suite services include Google Docs, Google Slides. Google Sheets, Google Forms, and Google Drive. Google’s terms and conditions clearly says that a BAA is required with HIPAA covered entities wanting to utilize G Suite with PHI.
In summary, Google Sheets is HIPAA compliant. Google is compliant with the HIPAA Rules in offering these products and services: G Suite Basic, G Suite for Education, G Suite for Business and G Suite Enterprise. Moreover, by signing a BAA, Google agrees with covered entities and business associates to secure PHI. Covered entities, on the other hand, have the obligation to maintain the right settings and make use of Google Sheets in such a way that does not violate the HIPAA Rules.