Last week I had a call with a medical imaging startup in Honolulu. During our call, one of their key objectives was to determine what cloud vendors offer HIPAA compliant services. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector. In previous posts, we’ve covered email providers like Gmail, Hotmail, Yahoo, Outlook, and AOL and their capabilities for HIPAA compliance. The purpose of this post is to determine if what Google Cloud offers is HIPAA compliance or not.
About Google Cloud
Google Cloud is a computing service by Google that offers hosting on the same infrastructure that Google uses internally for consumer products like Google Search and YouTube. Google Cloud provides developer products to build a range of solutions from simple websites to complex applications. The Google Cloud platform is comprised of a suite of enterprise services from Google Cloud. It provides a host of development tools like hosting and computing, cloud storage, data storage, translations APIs and prediction APIs.
Google Cloud and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked the Google Cloud site and found a guide called HIPAA Compliance on Google Cloud Platform. In the document, Google wisely points out: "Google Cloud Platform supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance."
Does Google Cloud Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Google Cloud offers one, we conclude they are in fact a HIPAA compliant cloud vendor. It's important to note however, the BAA only includes coverage for Google Cloud Platform. HIPAA compliance for Google Workspace is covered separately.
Google Workspace email isn't HIPAA compliant out of the box.
What's Covered Under a BAA with Google Cloud?
Now that we've determined Google Cloud will sign a BAA, the question is determining what cloud services provided by Google are actually covered by their BAA. We found the answer to that on their Google Cloud Security page.
The Cloud Platform BAA currently covers:
- Compute Engine
- Cloud Storage
- Cloud SQL
- Cloud Dataproc
- Container Engine
- Container Registry
- Cloud Dataflow
- Cloud Bigtable
- Cloud Pub/Sub
Conclusion: Many parts of Google Cloud are HIPAA Compliant. SEE ALSO: Is Microsoft Azure HIPAA Compliant?