Google agrees to sign BAA as means to HIPAA compliance

Google removes a barrier to Google Apps adoption by offering to sign BAA for organizations that need to comply with HIPAA.

In September 2013, Google offered for the first time to sign a HIPAA Business Associate Agreement (BAA) available for Google Apps. That's good news for organizations unwilling to deploy Google Apps without such an agreement. It is also a smart competitive move, as it matches Microsoft, which offers to sign a BAA for Office365.

HIPAA: The basics

For those who may be unfamiliar, HIPAA (Health Insurance Portability and Accountability Act), refers to a set of laws passed in the United States in 1996. The laws seek to limit access to individually identifiable healthcare information to those that "need to know". HIPAA holds healthcare industry professionals accountable for the privacy of patient information.

Effective HIPAA compliance implementations resemble effective security systems: they're designed with the aim of protecting individually identifiable health information (IIHI). Such information is broadly referred to as "protected health information", or PHI. This information includes an individual's name, address, and any information related to the individual's health or payment records. A Business Associate Agreement (BAA) provides written assurances that an organization's partners will also seek to secure an individual's PHI.

Google Apps BAA

Google's BAA agreement covers three Google Apps services (Gmail, Calendar, and Drive), along with the Google Apps Vault service, which archives user data from the other three services. To sign up, an Administrator for the Google Apps domain must answer three questions online. From the website:

  1. Are you a Covered Entity (or Business Associate of a Covered Entity) under HIPAA?
  2. Will you be using Google Apps in connection with Protect Health Information?
  3. Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?

After responding, the Administrator will be taken to the BAA document for signature. As of September 27, 2013, Google is using Adobe's Echosign to obtain digital signatures.

Read before signing

The BAA terms state "...other Google services or third party Marketplace Apps should not be used in connections with PHI. This agreement requires that you disable all Additional services in the Admin console." (Emphasis is mine.)

An organization signing the BAA would not be able to use the domain covered by this agreement for additional useful Google services, such as Google+, Google Groups, or Google Sites. As the terms state, you must disable all Additional services: you may use Gmail, Calendar, Drive and Google Vault. The terms also appear to prohibit the use of Marketplace Apps in conjunction with PHI. (It is unclear whether the terms also prohibit the use of apps intended to secure and protect PHI, such as zSentry. zSentry offers to sign a BAA, and is a third-party app, which may be connected through the Marketplace.)

Implement thoughtfully

If your organization needs HIPAA compliant email, calendars and document storage, then sign the BAA and move forward with the migration. Your organization can adopt Gmail, Calendar, and Drive, confident that IIHI and PHI in those apps will be protected by the BAA.

If your organization is already using Google Apps, review your usage carefully before signing the BAA. If you've already implemented measures to ensure HIPAA compliance, the availability of a BAA may not change anything for your organization. For example, you might already prohibit the use of PHI in Gmail, Calendar and Drive. You might already use tools to audit and verify compliance, such as CloudLock.

Documents don't ensure security

Google's willingness to sign a BAA for organizations that need to comply with HIPAA is helpful and certainly welcomed. It may remove a barrier to adoption for some organizations. But healthcare professionals need to remember that HIPAA compliance, like all IT security, involves complex systems comprised of people, policies, and practices. (For example, you still need effective password policies, security measures such as 2-step authentication, and appropriate user permission settings.)

Signing a BAA doesn't ensure your entire organization is HIPAA compliant: the BAA is just one piece of a complex system needed to protect IIHI and PHI.

Also read: