Day 39 — Google, do you take Invincible as your business associate?
Today I sign a BAA with Google and enable strong security controls.
Today we made it official with Google: we signed a Business Associate Agreement (BAA). This agreement is required for us to meet the requirements of HIPAA.
When is a BAA Required?
Any time a business associate relationship exists between two parties, they are required to execute a BAA. There are two kinds of business associate relationships:
- Between a covered entity and a business associate; and
- Between a business associate and a subcontractor business associate (this is the one that applies to us).
Why are we signing one with Google?
We’ll be using Google to store some PHI, including interview notes and contacts within Google Sheets / Google Drive. Because of this, we are required to sign a BAA with them that outlines exactly how our data will be managed.
What Else is Required?
Quite a lot, actually! See this really great document for signing the BAA and additional considerations you’ll need to make if you’re storing PHI and are HIPAA-regulated in Google.
In addition to signing the BAA, I ended up completing the following tasks within the Google Admin Console:
The biggest surprise from the process was that Google separates “core services” from “additional services”, and only core services are covered under a BAA. Anything listed under additional services (e.g., YouTube, Google Analytics, Play Console, etc.) is not covered and any users with PHI access are restricted from using these services. For me, that meant creating new groups in our account management to separate users with PHI access from those without access.
I leave this process extremely impressed by Google’s willingness to accommodate a BAA without significant overhead and charges. Every SAAS Service I’ve looked at charges 10x their price to take on the liability of PHI. Not only did Google not charge us (except for $6/mo to add a new full-access user), but the implementation was super easy to follow and implement.
Continue working through our HIPAA backlog.