Google Sheets is a web-based Google program that allows the creation, viewing and sharing of spreadsheets. Can healthcare organizations use Google Sheets with identifiable protected health information without violating HIPAA rules?
The HIPAA Rules require healthcare organizations to implement safeguards that keep the confidentiality, availability and integrity of PHI. It is easier to secure data with internal system controls in place. However, when third parties are contracted for services that require PHI access, the only way to ensure data security is to oblige the service provider to abide by HIPAA rules covering security, privacy and breach notifications.
A third-party that is given access to PHI in order to perform its services is considered as a business associate. Before providing any service or accessing PHI, a business associate must first enter into a contract called business associate agreement (BAA) with the HIPAA-covered entity. As stipulated in the agreement, the business associate promises to comply with the applicable rules covering HIPAA Privacy, Security and Breach Notification. It is considered a HIPAA violation if sharing of PHI takes place before a BAA is signed.
Even though Google claims that it does not view any information stored in Google Sheets, a BAA is still required because Google can potentially access the stored information on its servers. Google acknowledges the requirements of HIPAA and is committed to protecting the data privacy of users. Hence, there is no problem with Google when it comes to signing a BAA.
In fact, it is mentioned in Google’s terms and conditions that HIPAA covered entities and business associates that wish to use G Suite, which includes Google Drive, Google Docs, Google Sheets, Google Forms and Google Slides, with PHI must first have a duly-signed BAA. Google supports HIPAA compliance and willingly signs a BAA for the following products: G Suite Basic, G Suite for Education, G Suite Business and G Suite Enterprise domains.
Once the necessary BAA is signed for the use of Google Sheets and other G Suite products, the responsibility to use these products in a manner that will not violate HIPAA Rules rests on the covered entity and business associate.