Microsoft used to be one of the only large cloud providers that was willing to sign a HIPAA Business Associate Agreement (BAA). That has changed now that Google has announced that they will sign a BAA for customers that use their Google Apps platform. Google Apps includes: Gmail, Google Calendar, Google Drive, and Google Apps Vault services.
Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.
Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.
BAA Required to use Google Services
Google has also made it clear that if a customer does not have a BAA and is storing Protected Health Information (PHI), they should not use Google products
Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.
Not Free
Google is willing to sign a BAA but only for users of their paid Google Apps services. The BAA is not available on Google’s free services (Gmail, Google Calendar, Google Drive, etc.).
To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as “Standard Edition”) cannot request a BAA from Google at this time.
Google Apps for Business starts at $5/month per user or $50/year per user.
Limited Google App Services
Google’s BAA only covers certain Google Apps Services including: Gmail, Google Calendar and Google Drive. Other services such as Google Docs, Google Groups, Google+, and Google Sites are not covered by the BAA and should be disabled.
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process
Download the Guide to Understanding a HIPAA Risk Assessment!
I don’t think expecting a free service provider to sign a BAA is a reasonable expectation. So I think finding out that Google will only do it for paid customers is not a surprise. What other free service in existence is willing to sign a BAA for customers of its free service?
Larry – thanks for your feedback. I totally agree with you regarding free services. The reality is many smaller organizations are using free Gmail, Hotmail, AOL and Yahoo! for email. We wanted to make it clear that even though Google will now sign a BAA, these organizations will need to migrate from the free services to paid services to be in compliance. We didn’t want people hearing that Google will sign a BAA and think that continuing to use free Gmail would make them compliant.
Thanks again!
Art
Hi, just wanted to clarify for those who aren’t familiar with the paid Google Apps for Business: it does include Gmail, Calendar, Drive, etc. (The article may have misled some folks into thinking it was a different set of apps.)
What you get for paying is the ability to have your Google Apps through your own domain name ([email protected] instead of [email protected]), 30GB of storage per account instead of 15GB, elimination of ads, the ability to transfer ownership of non-Google files in Drive, and some very robust administrative capabilities to give greater security, control over employee data and access to certain apps.
Oh, and the willingness of Google to sign a BAA, too!