Is Google Cloud Platform HIPAA Compliant?
Is Google Cloud Platform HIPAA compliant? Before we try to answer this question, let’s see why it ever arose. The reason is that the healthcare industry is using cloud services more and more often. The healthcare cloud market is growing steadily. Hence, the question of HIPAA compliance arises every time a healthcare organization is considering cloud services.
Public cloud computing has multiple benefits as compared to hardware servers. Cloud infrastructure is much more scalable than physical data centers, cloud providers offer multiple pre-built services, including virtual machines and cloud storage, and they usually charge on a pay-as-you-go basis allowing you to keep the costs at the optimal level.
Healthcare organizations and businesses, recognizing these benefits, also often opt for the cloud. When they need to choose the cloud service provider, Google Cloud Platform (GCP) is often considered as one of the primary options. It ranks third on the cloud services market after Amazon Web Services and Microsoft Azure, and is reputed to offer high availability and productivity.
However, with healthcare, the question of HIPAA compliance is the main focus. Every healthcare provider considering Google cloud for their business should find the definite answer to the question we put in the title – is Google Cloud Platform HIPAA compliant?
What to watch for in verifying Google Cloud Platform HIPAA compliance
In a nutshell, to be compliant with HIPAA (Health Insurance Portability and Accountability Act) includes compliance with the three main rules:
- Privacy Rule, governing the disclosure of Protected Health Information (PHI);
- Security Rule, establishing the security standards of handling Electronic Protected Health Information;
- Breach Notification Rule, requiring all incidents of PHI breach to be duly reported.
In HIPAA, any healthcare organization that creates or handles PHI is classified as a Covered Entity. In their turn, any organization or individual who provides services to the Covered Entity when such service involves access to PHI is called a Business Associate. Such access can be granted only after signing the Business Association Agreement.
When acting as a cloud service provider to a healthcare organization, Google Cloud Platform is considered a Business Associate. Let’s see how it meets the HIPAA requirements for Business Associates.
Does Google Cloud Platform sign the BAA?
GCP will sign a Business Associate Agreement. The BAA should state the type of PHI that the Business Associate will access and how the PHI will be processed. Also, the BAA should stipulate that the PHI must be destroyed after the goal for which it was collected is achieved.
By signing the BAA, Google Cloud confirms that it bears the same responsibility for PHI protection as the Covered Entity.
Are all Google Cloud Platform services HIPAA compliant?
GCP specifies a definite list of products and services that are covered by its general BAA. This list is constantly updated and is published on GCP’s official compliance page.
If you are planning to launch your healthcare service using Google Cloud, make sure you only use the covered services. This way, you can ensure that you provide HIPAA-compliant services to your users.
How does Google Cloud meet the HIPAA security requirements?
GCP’’s official compliance statement declares that its entire infrastructure is covered by its BAA and is, therefore, HIPAA compliant. What does it mean in practical terms?
- Encryption. All data exchange between GCP and the healthcare service is done over securely encrypted channels.
- Access management. Google Cloud offers an IAM (Identity and Access Management) interface allowing you to assign various roles to users to grant them only the level of access that you consider necessary. The permissions defined via the IAM interface apply to all Google Cloud services you are using.
- User activity monitoring. HIPAA requires that all user activity data is logged and stored for further auditing, Google Cloud Platform meets this compliance requirement fully by logging all user interactions and storing the audit logs for the period of ten years.
- Multi-factor authentication. Authentication into GCP is done via the Google account that requires a unique randomly generated code to be entered on your wearable device.
- Data encryption at rest. GCP applies multiple encryption mechanisms to protect data at rest. Data in the Google cloud storage is encrypted according to the AES256 standard. Data is divided into chunks encrypted with individual unique keys. Data encryption is provided by default with no special actions on the user’s part.
- Web App and API Protection. GCP implements WAAP to protect web applications against cyber threats and DDoS attacks.
– Is Google Cloud HIPAA compliant?
– Yes, it is.
– Is it enough to sign a BAA with GCP to ensure HIPAA compliance of your healthcare product?
– No, it is not.
While GCP’s security model has been determined to meet the requirements of HIPAA Rules, the HIPAA-covered entity should still take the appropriate measures to ensure complete compliance:
- Use only BAA-covered GCP services and products;
- Set up access control and multi-factor authentication to your cloud environment;
- Implement and configure appropriate security mechanisms, such as VPNs and firewalls;
- Review Google Cloud audit logs regularly and store them in a secure destination;
- Ensure service availability and disaster recovery.
When all these compliance efforts have been taken, the combined strength of the implemented security mechanisms will ensure the necessary level of data protection and render your healthcare product fully HIPAA compliant.
How can QuickBlox help you ensure HIPAA compliance?
As we mentioned above, being HIPAA compliant is a combined effort of all entities involved in the healthcare product operation. Your task as the healthcare app owner is to implement all necessary PHI protection measures on your side. The most straightforward way to achieve this goal is by using the infrastructure developed by a reputed team with HIPAA compliance in mind.
Quickblox offers a set of APIs and SDKs that allow you to integrate a full-featured communication platform in your app. The communication functionality developed by Quickblox is HIPAA compliant and meets the corresponding requirements as to the physical servers, storage, data encryption in transit and at rest. If you choose QuickBlox as the communication provider, you can be sure that all data transmission and storage resources will be compliant.
Contact us for more details.