Is Google Cloud Platform HIPAA Compliant?

cloud, Google, google cloud platform

Thinking about moving some services to the cloud? Let’s look at whether the Google Cloud Platform is HIPAA-compliant.

We recently helped a medical company evaluate Google Cloud Platform (GCP) as a disaster recovery site.

Here’s what we found about Google Cloud Platform and HIPAA compliance.

Is Your Google Cloud Platform (GCP) HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit.. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance and encryption requirements.

Protect Your Google Cloud Platform Now!

Logos of companies trusting Adelia Risk—including Grace Barker Health, HSG, Nova Luna Center, SFSA, Marin Autism Interventions, Barrier Islands Free Medical Clinic, and Physician Family Financial Advisors

Will Google Cloud Platform sign a HIPAA Business Associate Agreement?

Any company that handles PHI is what’s called a HIPAA Business Associate.

Business Associates must sign a contract that says they will protect a patient’s confidential information.

Google will sign a HIPAA Business Associate agreement. You can’t find the form online — you’ll need to work with a salesperson to execute an agreement. Expect it to take a week or two.

Which Google Cloud Platform services are covered for HIPAA use?

Google spells out exactly which services can be used to hold PHI on their HIPAA compliance page. As of this writing, this includes:

List of Google Cloud products covered under the Google Cloud BAA—such as BigQuery, Cloud Storage, Compute Engine—showing trusted infrastructure for HIPAA compliance

Our healthcare client needed virtual servers (Google Compute Engine) and large amounts of cold storage for backup (Google Cloud Storage).

What our clients say

Testimonial: “Adelia Risk set up my HIPAA-compliant Google Workspace to protect PHI. … their wonderful customer service.” — Therapy in Tune, IN

Get Your Cloud Security Audit Now!

What about IT security measures?

There are key items that we look for to make sure that clients will be able to use a cloud environment in a HIPAA-compliant way. Here are the key ones we reviewed:

A secure connection between Google Cloud Platform and our business

Google Cloud Platform provides a secure VPN for connecting to their environment. Anything sent between GCP and your business is sent over this encrypted, secure tunnel.

Diagram of Google Cloud VPN tunnel showing Compute Engine network securely connected to peer remote network for HIPAA compliance

A way to restrict what users can and can’t do

Google Cloud Platform provides a robust set of roles and permissions in their Identity and Access Management Console.

After you create a project to hold your servers, you can set what users can and can’t do.

Google Cloud IAM add members role selection screen for HIPAA compliant access control

Multi-factor authentication

Google Cloud Platform is tied to your Google account. You get the same two-factor authentication experience you get when you log in to any Google service.

Two factor authentication on smartphone for securing Google Meet HIPAA compliant access

Detailed logging of system and user activity

By default, the Google Cloud Platform will log every human and system interaction with the GCP environment. This is critical for HIPAA compliance to prove what did or didn’t happen in case of an incident.

Logging can also record what happens in each virtual machine.

If you set it up the right way, logging data is also stored on Google Cloud Platform’s “ColdLine” storage service. This lets you retain logs for 10 years, as required by HIPAA, at a very low cost.

Encryption Keys

Many companies never change their encryption keys.

Google Cloud Platform offers a robust key management service to store and rotate encryption keys used to connect to servers.

Google Cloud encryption key management for HIPAA compliant data protection in Google Meet

Data Encryption

Google Cloud Platform encrypts all data at rest, by default, “with no additional action required from you.”

This is an excellent default position.

They also offer an attractive feature for HIPAA-compliant companies. You can also encrypt your data using your own keys, stored in the aforementioned Key Management Service.

This gives you extra comfort, if you choose to implement it, that nobody at Google can access your sensitive data.

Speaking of that, what about Google employee access to my data?

Google Cloud Platform has a solid process for controlling when their administrators can log in to your systems.

Here it is: https://cloud.google.com/security/whitepaper#data_access_and_restrictions

This process is also thoroughly audited by third-party auditors.

What about web-based applications?

Google offers an automated security scanning service that looks for common vulnerabilities in web-based systems that you choose to deploy at Google.

Google Cloud automated vulnerability scanning for HIPAA compliance and Google Meet security

Customers also get access to the same intrusion detection technology and services that Google uses to protect its core business.

Is Google Cloud Platform HIPAA Compliant?

Google Cloud and Customer HIPAA Shared Responsibility Model

Based on all of the measures described above, Google Cloud Platform can definitely be used in a way that is HIPAA compliant.

However, there is a fair bit of complexity. You need to make sure you are configuring the environment the right way, setting up logging the right way, and ensuring you don’t expose your PHI to data breaches.