The following is a guest post by Liam
Johnson, who is Editor-in-Chief of the website
ComplianceHome.com. Feel free to comment*, or discuss among yourselves.
*Comments are moderated and may not appear instantly.
Getting
HIPAA Compliant in Google Cloud Platform
Is Google’s Cloud
Platform HIPAA compliant? Likewise, is Google’s Cloud Platform ideal as an
alternative to AWS and Azure for healthcare organizations? In this post, we are
going to determine if Google’s Cloud Platform is HIPAA compliant, plus whether healthcare
organizations can make use of it to host infrastructure, build applications and
store files that contain protected health information.
Presently, the use
of cloud platforms by healthcare organizations has increased tremendously, with
the value of the healthcare cloud computing market being estimated to be $4.65
billion in 2016. This figure is expected to increase by 2022 to more than
$14.76 billion.
Will Google Sign a Business Associate Agreement that
covers its Cloud Platform?
The Omnibus Rule
came into effect on September 2013, and ever since, Google started signing
Business Associate Agreements (BAAs) with HIPAA covered entities for G-Suite.
Consequently, Google expanded its BAA to include the Google Cloud Platform.
Currently, Google’s
BAA covers majority of the cloud services such as Cloud Storage, Compute
Engine, Cloud SQL for PostgreSQL, Cloud SQL for MySQL, Container Registry,
Kubernetes Engine, BigQuery, Cloud Dataproc, Cloud Translation API, Cloud
Pub/Sub, Cloud Bigtable, Cloud Dataflow, Stackdriver Logging, Cloud Speech API,
Genomics, Cloud Machine Learning Engine, Cloud Datalab, Stackdriver Debugger,
Stackdriver Trace, Stackdriver Error Reporting, Cloud Data Loss Prevention API,
Cloud Natural Language, Cloud Load Balancing, Google App Engine, Cloud Vision
API, Cloud Spanner and Cloud VPN.
In 2016, Google
partnered with the backend mobile service provider Kinvey, subsequently leading
to the availability of mBaaS on Google Cloud. Connectors to electronic health
record systems that support healthcare apps are integrated into mBaaS.
Is the Google Cloud Platform HIPAA Complaint?
Since Google will
sign a BAA with all HIPAA covered entities, does this mean that its Google Cloud
Platform is HIPAA compliant?
HIPAA has one
overarching requirement, and that is the BAA. It usually means that the data
and security protection mechanisms of Google have been assessed and deemed to
have surpassed the minimum requirement of the HIPAA Security Rule.
Additionally, it means the cloud services Google offers meet the Privacy Rule
requirements, and Google understands its responsibilities as HIPAA’s business
associate. Thus, it agrees to offer HIPAA-compliant and secure infrastructure
for the processing and storage of Personal Health Information (PHI).
Nevertheless, it is
the mandate of the healthcare establishments to safeguard all the HIPAA rules
when using the Google Cloud Platform is being followed. Likewise, they should
ensure their cloud-based applications and infrastructure are configured and
secured correctly.
The covered
entities are given the duty to disable any Google services which the business
associate agreement does not cover, control the set up to avoid accidental
deletion of data, ensure access controls are implemented carefully, audit logs
are checked regularly and all audit log export destinations are set. Moreover,
care must be taken when uploading any PHI to the cloud to safeguard it is
adequately secured, plus the PHI is not shared with unauthorized persons
accidentally.
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template