Microsoft used to be one of the only large cloud providers that was willing to sign a HIPAA Business Associate Agreement (BAA). That has changed now that Google has announced that they will sign a BAA for customers that use their Google Apps platform. Google Apps includes: Gmail, Google Calendar, Google Drive, and Google Apps Vault services.
Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.
Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.
BAA Required to use Google Services
Google has also made it clear that if a customer does not have a BAA and is storing Protected Health Information (PHI), they should not use Google products
Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.
Google is willing to sign a BAA but only for users of their paid Google Apps services. The BAA is not available on Google’s free services (Gmail, Google Calendar, Google Drive, etc.).
To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as “Standard Edition”) cannot request a BAA from Google at this time.
Google Apps for Business starts at $5/month per user or $50/year per user.
Limited Google App Services
Google’s BAA only covers certain Google Apps Services including: Gmail, Google Calendar and Google Drive. Other services such as Google Docs, Google Groups, Google+, and Google Sites are not covered by the BAA and should be disabled.
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process