In September 2013, Google offered for the first time to sign
a HIPAA Business Associate Agreement (BAA) available for Google
Apps. That’s good news for organizations unwilling to deploy Google
Apps without such an agreement. It is also a smart competitive move, as it
matches Microsoft, which offers to sign a BAA for Office365.
HIPAA: The basics
For those who may be unfamiliar, HIPAA (Health Insurance Portability and
Accountability Act), refers to a set of laws passed in the United States in
1996. The laws seek to limit access to individually identifiable healthcare
information to those that “need to know”. HIPAA holds healthcare
industry professionals accountable for the privacy of patient information.
Effective HIPAA compliance implementations resemble
effective security systems: they’re designed with the aim of protecting
individually identifiable health information (IIHI). Such information is
broadly referred to as “protected health information”, or PHI. This
information includes an individual’s name, address, and any information related
to the individual’s health or payment records. A Business Associate Agreement
(BAA) provides written assurances that an organization’s partners will also
seek to secure an individual’s PHI.
Google Apps BAA
Google’s BAA agreement covers three Google Apps services
(Gmail, Calendar, and Drive), along with the Google Apps Vault service, which
archives user data from the other three services. To sign up, an Administrator
for the Google Apps domain must answer three questions online. From the
- Are you a Covered Entity
(or Business Associate of a Covered Entity) under HIPAA?
- Will you be using Google
Apps in connection with Protect Health Information?
- Are you authorized to
request and agree to a Business Associate Agreement with Google for your Google
After responding, the Administrator will be taken to the BAA
document for signature. As of September 27, 2013, Google is using Adobe’s
Echosign to obtain digital signatures.
Read before signing
The BAA terms state “…other Google services or third
party Marketplace Apps should not be used in connections with PHI. This
agreement requires that you disable all Additional services in
the Admin console.” (Emphasis is mine.)
An organization signing the BAA would not be able to use the
domain covered by this agreement for additional useful Google services, such as
Google+, Google Groups, or Google Sites. As the terms state, you must disable
all Additional services: you may use Gmail, Calendar, Drive and Google Vault.
The terms also appear to prohibit the use of Marketplace Apps in conjunction
with PHI. (It is unclear whether the terms also prohibit the use of apps
intended to secure and protect PHI, such as zSentry. zSentry offers to sign a
BAA, and is a third-party app, which may be connected through the Marketplace.)
If your organization needs HIPAA compliant email, calendars
and document storage, then sign the BAA and move forward with the migration.
Your organization can adopt Gmail, Calendar, and Drive, confident that IIHI and
PHI in those apps will be protected by the BAA.
If your organization is already using Google Apps, review
your usage carefully before signing the BAA. If you’ve already implemented
measures to ensure HIPAA compliance, the availability of a BAA may not change
anything for your organization. For example, you might already prohibit the use
of PHI in Gmail, Calendar and Drive. You might already use tools to audit and
verify compliance, such as CloudLock.
Documents don’t ensure security
Google’s willingness to sign a BAA for organizations that
need to comply with HIPAA is helpful and certainly welcomed. It may remove a
barrier to adoption for some organizations. But healthcare professionals need
to remember that HIPAA compliance, like all IT security, involves complex
systems comprised of people, policies, and practices. (For example, you still
need effective password policies, security measures such as 2-step
authentication, and appropriate user permission settings.)
Signing a BAA doesn’t ensure your entire organization is
HIPAA compliant: the BAA is just one piece of a complex system needed to
protect IIHI and PHI.