Google cloud platform to be HIPAA compliant, support BAAs

Google, following up on its move late last year to enter into business associate agreements enabling its Google Apps customers to support HIPAA-regulated data, recently announced that its cloud platform will support BAAs, as well.

In a Feb. 5 blog post, Google Cloud Platform Product Manager Matthew O'Connor talked about the difficulties with needing to comply with HIPAA for developers building healthcare-related applications.

"Not only do you need the right code and a reliable user experience, sometimes it feels like you need to be a lawyer, too," O'Connor said. "When building in the cloud, it can be challenging to ensure that you're complying with [HIPAA] regulations."

Just prior to the announcement, Boston-based health attorney and HealthBlawg author David Harlow, who also serves as a FierceHealthIT Editorial Advisory Board member, predicted the move by Google. Answering follow-up questions from attendees at FierceHealthcare's January webinar, "Three things you must know about the new HIPAA rules," Harlow noted that the Omnibus Rule "brought Google and Amazon to the table … because they had not developed their own" agreements.

"If they had not developed their own BAAs, the Omnibus Rule would have imposed its own set of standard BAA provisions," Harlow said to an attendee asking about HIPAA-compliant online file-sharing sites.

This week, he reiterated that the move was an important one for Google, in an email to FierceHealthIT.

"I think this is encouraging," Harlow said. "If Google and Amazon are both able to support HIPAA compliant development of applications, that's a good thing."

Last March, Google settled a case with 38 states, agreeing to pay a $7 million fine after it collected personal health information during its Street View project. As part of the agreement, Google also said it would educate its employees on confidentiality of user data.

In 2012, several members of Congress expressed concern that Google's then-new privacy policy violated the Health Insurance Portability and Accountability Act (HIPAA). The policy combined Google's previous policies, enabling it to share user information across services. Lawmakers were concerned that searching for healthcare information on Google without logging out would case a person to be tracked across other sites. Harlow told FierceHealthIT then that he didn't see it as a violation of HIPAA because the user is releasing their personal health data themselves.

To learn more:
- read the blog post

Suggested Articles

A major hospital chain has been hit by a massive cyber attack that reportedly has taken down all of its IT systems.

Blue Cross NC is teaming up with prominent providers and companies in the state to manufacture N95 respirators for healthcare workers.

Premera Blue Cross will pay $6.9 million to HHS over a data breach six years ago that exposed 10 million people's health information.