Is Google Cloud Platform HIPAA compliant? Before we try to answer this question, let’s see why it ever arose. The reason is that the healthcare industry is using cloud services more and more often. The healthcare cloud market is growing steadily. Hence, the question of HIPAA compliance arises every time a healthcare organization is considering cloud services.
Public cloud computing has multiple benefits as compared to hardware servers. Cloud infrastructure is much more scalable than physical data centers, cloud providers offer multiple pre-built services, including virtual machines and cloud storage, and they usually charge on a pay-as-you-go basis allowing you to keep the costs at the optimal level.
Healthcare organizations and businesses, recognizing these benefits, also often opt for the cloud. When they need to choose the cloud service provider, Google Cloud Platform (GCP) is often considered as one of the primary options. It ranks third on the cloud services market after Amazon Web Services and Microsoft Azure, and is reputed to offer high availability and productivity.
However, with healthcare, the question of HIPAA compliance is the main focus. Every healthcare provider considering Google cloud for their business should find the definite answer to the question we put in the title – is Google Cloud Platform HIPAA compliant?
In a nutshell, to be compliant with HIPAA (Health Insurance Portability and Accountability Act) includes compliance with the three main rules:
In HIPAA, any healthcare organization that creates or handles PHI is classified as a Covered Entity. In their turn, any organization or individual who provides services to the Covered Entity when such service involves access to PHI is called a Business Associate. Such access can be granted only after signing the Business Association Agreement.
When acting as a cloud service provider to a healthcare organization, Google Cloud Platform is considered a Business Associate. Let’s see how it meets the HIPAA requirements for Business Associates.
GCP will sign a Business Associate Agreement. The BAA should state the type of PHI that the Business Associate will access and how the PHI will be processed. Also, the BAA should stipulate that the PHI must be destroyed after the goal for which it was collected is achieved.
By signing the BAA, Google Cloud confirms that it bears the same responsibility for PHI protection as the Covered Entity.
GCP specifies a definite list of products and services that are covered by its general BAA. This list is constantly updated and is published on GCP’s official compliance page.
If you are planning to launch your healthcare service using Google Cloud, make sure you only use the covered services. This way, you can ensure that you provide HIPAA-compliant services to your users.
GCP’’s official compliance statement declares that its entire infrastructure is covered by its BAA and is, therefore, HIPAA compliant. What does it mean in practical terms?
– Is Google Cloud HIPAA compliant?
– Yes, it is.
– Is it enough to sign a BAA with GCP to ensure HIPAA compliance of your healthcare product?
– No, it is not.
While GCP’s security model has been determined to meet the requirements of HIPAA Rules, the HIPAA-covered entity should still take the appropriate measures to ensure complete compliance:
When all these compliance efforts have been taken, the combined strength of the implemented security mechanisms will ensure the necessary level of data protection and render your healthcare product fully HIPAA compliant.
As we mentioned above, being HIPAA compliant is a combined effort of all entities involved in the healthcare product operation. Your task as the healthcare app owner is to implement all necessary PHI protection measures on your side. The most straightforward way to achieve this goal is by using the infrastructure developed by a reputed team with HIPAA compliance in mind.
Quickblox offers a set of APIs and SDKs that allow you to integrate a full-featured communication platform in your app. The communication functionality developed by Quickblox is HIPAA compliant and meets the corresponding requirements as to the physical servers, storage, data encryption in transit and at rest. If you choose QuickBlox as the communication provider, you can be sure that all data transmission and storage resources will be compliant.
Contact us for more details.