Google Forms is a versatile tool that allows users to create custom surveys, questionnaires, and data collection forms. However, for organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) requirements, it is crucial to ensure that the data collected through Google Forms remains safe, secure, and compliant with HIPAA regulations. This guide will explore the steps and best practices to make Google Forms HIPAA compliant.
Understanding HIPAA Compliance
Under HIPAA, certain information about an individual’s health or healthcare services is classified as Protected Health Information (PHI). Organizations that handle PHI must follow specific security and privacy requirements to protect this sensitive data’s confidentiality, integrity, and availability.
Determining HIPAA Applicability
Before using Google Forms for collecting and storing PHI, it is essential to determine whether your organization is subject to HIPAA requirements. Suppose you are a covered entity, such as a healthcare provider, health plan, healthcare clearinghouse, or a business associate that works with covered entities. In that case, you must comply with HIPAA regulations.
Signing a Business Associate Agreement (BAA) with Google
Organizations subject to HIPAA must sign a Business Associate Agreement (BAA) with Google to use Google Workspace or Cloud Identity with PHI. The BAA establishes the responsibilities and obligations of both parties in safeguarding PHI. Google Workspace and Cloud Identity customers who have not signed a BAA with Google must not use Google services in connection with PHI.
Obtaining a Copy of the HIPAA BAA
Customers can obtain a copy of the agreement after electronically accepting the HIPAA BAA via the Admin console. The electronic agreement holds the same legal effect as a paper-based agreement. To demonstrate electronic acceptance, customers can produce a screenshot of their Admin Console/HIPAA acceptance displayed in the Legal and Compliance section.
HIPAA Included Functionality in Google Workspace
Google Workspace offers several products and features that can be used for HIPAA compliance. These products have specific safeguards and controls in place to protect PHI. Administrators should review the HIPAA Included Functionality to ensure they utilise the appropriate tools for their compliance needs.
|Google Workspace Product
|HIPAA Included Functionality
|File storage and sharing
|Scheduling and appointments
Organizing Data on Google Services
To maintain HIPAA compliance, it is essential to understand how to organize data on Google services when handling PHI. Google has published the Google Workspace and Cloud Identity HIPAA Implementation Guide, which provides detailed instructions for employees responsible for HIPAA implementation and compliance. The guide outlines best practices for data organization, access controls, and sharing PHI within a Google Workspace domain.
Sharing PHI with External Domains
When sharing PHI with external domains, following organizational policies on handling PHI and complying with domain-wide settings is crucial. Customers can choose the appropriate sharing method within or outside Google Workspace to align with their policies. The HIPAA Implementation Guide offers guidance on limiting access to PHI, such as sharing with specific recipients rather than allowing access to anyone with the link.
Third-Party Applications and Google Workspace BAA
Third-party applications, including add-ons, are not covered under the HIPAA Included Functionality and the Google Workspace BAA. Organizations must assess the compliance of third-party applications with HIPAA regulations before integrating them with Google Workspace. The HIPAA Implementation Guide provides additional information on third-party applications and their compatibility with HIPAA requirements.
Google’s Commitment to HIPAA Compliance
Google continues to evaluate the scope of the HIPAA Included Functionality and may add additional products in the future. However, it is essential to note that the Cloud Data Processing Addendum (CDPA) and the Google Workspace BAA terms do not extend to Additional Google Services. Google is actively working on providing additional controls for Additional Google Services to enhance HIPAA compliance.
Staying Up to Date with Google Workspace Compliance Resources
Administrators can refer to Google Workspace’s legal and compliance resources to stay informed about the latest updates and resources related to Google Workspace compliance, including HIPAA. These resources provide valuable information on the workspace’s various compliance topics, including data protection, privacy, and regulatory requirements.
Ensuring HIPAA compliance when using Google Forms is vital for organizations handling PHI. By signing a BAA with Google, understanding the HIPAA Included Functionality, and following best practices for organizing and sharing data, organizations can leverage the power of Google Forms while maintaining the security and privacy of sensitive healthcare information. Stay informed and updated with Google’s compliance resources to ensure adherence to HIPAA regulations.