Is Google's AI Gemini HIPAA compliant?

Gemini, Google's AI, previously known as Bard, helps you write, design, and organize with generative AI. However, when it comes to handling sensitive healthcare data, such as protected health information (PHI), HIPAA compliance is fundamental. So, is Gemini HIPAA compliant? Our initial research suggests it can be HIPAA compliant.

What is Google's AI, Gemini?

Gemini is an artificial intelligence system developed by Google designed to engage in natural, human-like conversations. It allows end users to use generative artificial intelligence features to help write content, organize files, visualize information, accelerate workflows, and have more productive meetings. 

Gemini and business associate agreements (BAAs)

Under the Health Insurance Portability and Accountability Act (HIPAA), any software or service that handles protected health information (PHI) on behalf of a covered entity is considered a business associate. Business associates are required to sign a business associate agreement, which outlines their responsibilities and obligations regarding PHI protection.

Given Gemini’s functionalities, it's probable that it would be considered a business associate when utilized in healthcare environments.

Upon reviewing Google's official documentation, we found that Google does sign a BAA for certain services, as outlined in their support documentation. Gemini for Google Workspace is included in their BAA.

Note: While Gemini for Google Workspace is covered under this agreement, access to Gemini via gemini.google.com or mobile applications is not included.

Gemini and data security 

One of the primary concerns when evaluating the HIPAA compliance of any software or service is the level of data security it provides. Gemini prioritizes data protection through a multi-layered security infrastructure. It implements various security measures to ensure the confidentiality, integrity, and availability of user data. Some notable security features offered by Gemini include:

• Enterprise-grade data protections are in place for users with a Gemini for Google Workspace license, guaranteeing confidentiality and security.
• Interactions within Gemini for Google Workspace are strictly internal, with content stored alongside existing Workspace data, eliminating external sharing.
• Gemini seamlessly integrates with Google Workspace security measures, applying organizational controls such as data-region policies and data loss prevention to maintain data integrity.
• Content within Gemini for Google Workspace remains exclusive to the organization, with no data utilized for model training beyond organizational boundaries without explicit consent, ensuring utmost privacy and confidentiality.

Is Gemini HIPAA compliant?

Google says, "As of December 2023, Gemini for Google Workspace can support HIPAA workloads. The HIPAA Included Functionality and the Google Workspace and Cloud Identity HIPAA implementation guide have been updated to reflect the inclusion of Gemini for Google Workspace."

Based on our analysis, Gemini is committed to data security through its multi-layered security infrastructure, data protection, and data loss prevention capabilities. Their willingness to sign a business associate agreement (BAA) further reinforces their compliance with HIPAA standards. Moreover, it is integrated into Google's HIPAA functionality, making it a suitable platform for handling protected health information within healthcare settings. 

Therefore, Gemini can be considered HIPAA compliant if used as part of a Google Workspace account that has signed a business associate agreement with Google and is configured for HIPAA compliance.

Understanding HIPAA Compliance:

HIPAA compliance extends beyond just technical safeguards and software solutions. When evaluating a tool's or service's compliance, consider the following:

• Technical Safeguards: While tools like Gemini play a crucial role, other technical measures, such as HIPAA compliant email, are equally vital.
• Employee Training: Ensuring all staff members are well-versed in HIPAA regulations and best practices is paramount. Regular training sessions can help prevent unintentional breaches.
• Regular Audits: Periodic assessments of all systems and processes ensure that they remain compliant and adapt to any changes in regulations or technology.
• Data Access Controls: Implementing stringent controls on who can access protected health information and under what circumstances is a cornerstone of HIPAA compliance.