Thinking about moving some services to the cloud?  Let’s look at whether Google Cloud Platform is HIPAA-compliant.

We recently helped a medical company evaluate Google Cloud Platform (GCP) as a disaster recovery site.

Here’s what we found about Google Cloud Platform and HIPAA compliance.

Will Google Cloud Platform sign a HIPAA Business Associate Agreement?

Any company that handles PHI is what’s called a HIPAA Business Associate.

Business Associates must sign a contract that says they will protect a patient’s confidential information.

Google will sign a HIPAA Business Associate agreement.  You can’t find the form online — you’ll need to work with a salesperson to execute an agreement.  Expect it to take a week or two.

Which Google Cloud Platform services are covered for HIPAA use?

Google spells out exactly which services can be used to hold PHI on their HIPAA compliance page.  As of this writing, this includes:

google cloud platform hipaa covered services

Our healthcare client needed virtual servers (Google Compute Engine) and large amounts of cold storage for backup (Google Cloud Storage).

What about IT security measures?

There are key items that we look for to make sure that clients will be able to use a cloud environment in a HIPAA-compliant way.  Here are the key ones we reviewed:

A secure connection between Google Cloud Platform and our business

Google Cloud Platform provides a secure VPN for connecting into their environment.  Anything sent between GCP and your business is sent over this encrypted, secure tunnel.

google cloud platform hipaa vpn

A way to restrict what users can and can’t do

Google Cloud Platform provides a robust set of roles and permissions in their Identity and Access Management Console.

After you create a project to hold your servers, you can set what users can and can’t do.

google cloud platform hipaa user permissions

Multi-factor authentication

Google Cloud Platform is tied to your Google account.  You get the same two-factor authentication experience you get when you log in to any Google service.

google cloud platform hipaa two factor authentication

Detailed logging of system and user activity

By default, Google Cloud Platform will log every human and system interaction with the GCP environment.  This is critical for HIPAA compliance to prove what did or didn’t happen in case of an incident.

Logging can also record what happens in each virtual machine.

If you set it up the right way, logging data is also stored on Google Cloud Platform’s “ColdLine” storage service.  This lets you retain logs for 10 years, as required by HIPAA, at a very low cost.

Encryption Keys

Many companies never change their encryption keys.

Google Cloud Platform offers a robust key management service to store and rotate encryption keys used to connect to servers.

google cloud platform hipaa encryption key management

Data Encryption

Google Cloud Platform encrypts all data at rest, by default, “with no additional action required from you.

This is an excellent default position.

They also offer an an attractive feature for HIPAA-compliant companies.  You can also encrypt your data using your own keys, stored in the aforementioned Key Management Service.

This gives you extra comfort, if you choose to implement it, that nobody at Google can access your sensitive data.

Speaking of that, what about Google employee access to my data?

Google Cloud Platform has a solid process for controlling when their administrators can log in to your systems.

Here it is: https://cloud.google.com/security/whitepaper#data_access_and_restrictions

This process is also thoroughly audited by third party auditors.

What about web-based applications?

Google offers an automated security scanning service that looks for common vulnerabilities in web-based systems that you choose to deploy at Google.

google cloud platform hipaa website security

Customers also get access to the same intrusion detection technology and services that Google uses to protect its core business.

Is Google Cloud Platform HIPAA Compliant?

google cloud platform hipaa configurationBased on all of the measures described above, Google Cloud Platform can definitely be used in a way that is HIPAA compliant.

However, there is a fair bit of complexity.  You need to make sure you are configuring the environment the right way, setting up logging the right way, and ensuring you don’t expose your PHI to data breaches.

Still feeling a bit overwhelmed?

Get some free help!  Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!