Google Forms is a popular web-based service that allows users to create surveys, collect feedback, and analyze results. While it is convenient for various purposes, including business and education, healthcare organizations must be cautious when using Google Forms to collect, store, or share Protected Health Information (PHI). In this article, we will explore the requirements for making Google Forms HIPAA compliant and discuss the steps healthcare organizations can take to ensure the security and privacy of PHI.
Understanding HIPAA Compliance
Before delving into the specifics of making Google Forms HIPAA compliant, it is crucial to understand the basics of HIPAA compliance. The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for protecting sensitive patient data. Under HIPAA, certain information about an individual’s health or healthcare services is classified as Protected Health Information (PHI). Healthcare organizations, known as Covered Entities, and their business partners, known as Business Associates, must comply with HIPAA regulations to safeguard PHI.
Google Forms and HIPAA Compliance
By default, Google Forms does not support HIPAA compliance. The service is part of the Google Drive productivity suite, which lacks the necessary capabilities to comply with the technical safeguards of the HIPAA Security Rule. However, this does not mean healthcare organizations cannot use Google Forms. If the service is not used for collecting, storing, or sharing PHI, there is no requirement for Google Forms or any other productivity service to be HIPAA compliant.
The challenge arises when healthcare organizations want to use Google Forms for handling PHI. In such cases, it is necessary to make Google Forms HIPAA compliant by subscribing to an appropriate Google Workspace or Cloud Identity package, entering into a Business Associate Agreement (BAA) with Google, configuring the service to comply with HIPAA, and providing training to the workforce on the compliant use of Google Forms.
Selecting the Correct Workspace Package
Healthcare organizations must choose the right Google Workspace or Cloud Identity package to make Google Forms HIPAA compliant. While all premium Cloud Identity packages support HIPAA compliance, not all Workspace packages provide the necessary capabilities. It is essential to consider the specific needs of the organization and the additional security measures required for other Workspace services, such as Data Loss Prevention.
Signing the Business Associate Agreement
Healthcare organizations must sign a Business Associate Agreement (BAA) with Google to ensure HIPAA compliance. Google does not enter into Business Associate Agreements with Covered Entities directly but offers a Business Associate Addendum for “Core Services.” Google’s Core Services, which include Google Forms, are covered by the BAA. Administrators with the necessary privileges can electronically sign the document within the Google Workspace Admin console.
It is crucial for Covered Entities and Business Associates to carefully review and understand the clauses of the Business Associate Addendum, particularly those related to Applicability and Customer Obligations. Compliance with these clauses is essential to maintain the validity of the Addendum.
Configuring Google Forms for Compliance
Configuring Google Forms to be HIPAA compliant requires certain adjustments. System administrators should set file-sharing permissions to prevent forms containing PHI from being shared with external domains. The default file visibility setting should be “Private to the Owner.” Additionally, administrators can restrict form sharing between individuals or Shared Drives, although this is not mandatory.
In addition to configuring Google Forms, it is necessary to ensure that any other services integrated with Google Forms, such as Google Sheets, are HIPAA compliant. System administrators should set up Administrator Notifications to detect and report unusual activity. Creating Data Loss Prevention policies is crucial to specify what types of sensitive data can be shared and with whom.
Training Users on Compliant Use of Google Forms
Implementing the necessary configurations is not enough to achieve HIPAA compliance. Training workforce members on the compliant use of Google Forms is equally essential. Even with the proper configurations, user discretion plays a role in the security and privacy of PHI. Training should emphasize the importance of controls, the risks of phishing, and the need to refrain from including PHI in form and folder titles.
Integrating HIPAA training into mandatory security and awareness programs is recommended to ensure that employees understand their responsibilities and the potential consequences of non-compliance. By providing comprehensive training, healthcare organizations can minimize the risk of violations and promote a culture of HIPAA compliance.
In conclusion, while Google Forms is not HIPAA compliant by default, healthcare organizations can make it compliant by following specific steps. Subscribing to an appropriate Google Workspace or Cloud Identity package, signing a Business Associate Addendum, configuring the service, and providing training to the workforce are all essential components of achieving HIPAA compliance. Healthcare organizations must assess their requirements carefully, review the terms of the Business Associate Addendum, and seek professional compliance advice if needed. With the proper measures in place, healthcare organizations can leverage the convenience of Google Forms while ensuring the security and privacy of PHI.
Is it possible to use Google Forms via a personal Google account?
Yes, it is possible to use Google Forms via a personal Google account if the service is not used to collect, store, or share PHI. If a healthcare organization wants to use Google Forms for PHI-related purposes, it is necessary to use a Google Workspace or Cloud Identity account with the appropriate safeguards implemented.
Are third-party applications covered under Google Workspace BAA?
Third-party applications, including add-ons, are not covered by the Business Associate Agreement (BAA) included with Google Workspace. Healthcare organizations should refer to the HIPAA Implementation Guide for further information regarding using third-party applications in a HIPAA-compliant manner.
How should documents be sent to an external domain in a manner that supports HIPAA compliance?
When sharing PHI within or outside the Google Workspace domain, healthcare organizations should follow their organizational policies on handling PHI. The corresponding sharing method within or outside of Google Workspace should be chosen to comply with those policies and the domain-wide settings. The HIPAA Implementation Guide guides limiting access to PHI within a Google Workspace domain.
Does Google plan to add additional Google products to the HIPAA Included Functionality?
Google continues to evaluate the scope of the HIPAA Included Functionality and may include additional products in the future. It is important to note that the Cloud Data Processing Addendum (CDPA) and the Google Workspace BAA terms do not extend to Additional Google Services. Google is actively exploring ways to provide additional controls for Additional Google Services in the future.