Google Forms is HIPAA compliant and can be used to collect, export, and share protected health information provided the service is used as part of a Workspace plan that supports HIPAA compliance, the service settings are configured to comply with the Security Rule, and the workforce is trained on its compliant use. It will also be necessary to agree to Google’s Business Associate Addendum before the service is used to collect PHI.
Google Forms is a survey administration tool can be used to conduct opinion polls, manage event registrations, and collect information through internal or public-facing websites. When used in ways that do not involve uses and disclosures of data covered by the HIPAA Privacy Rule, the solution could be used by healthcare organizations without HIPAA compliance being a consideration.
However, if Google Forms is used to collect, store, or share protected health information – or if protected health information is exported to another service for analysis – the HIPAA Administrative Simplification Regulations apply. Additionally, Google would be considered a business associate of the healthcare organization.
Is Google Forms HIPAA Compliant?
Before any software application can be used in connection with protected health information, healthcare organizations must ensure safeguards are in place to ensure the confidentiality, integrity, and availability of any protected health information that is created, received, stored, maintained, or transmitted by that software.
Therefore, the first step in ensuring Google Forms is HIPAA compliant is to subscribe to a Workspace plan that includes sufficient safeguards to comply with the HIPAA Rules (not all Workspace plans have sufficient safeguards). Thereafter, the safeguards must be configured to comply with the requirements of the Security Rule.
Google provides a HIPAA Implementation Guide to help healthcare organizations configure its “Core Services” in compliance with HIPAA. However, system administrators are also required to configure third party services Google Forms may be integrated with. For example, it is possible to integrate the services provided by Google Drive into Microsoft Teams).
Google’s Business Associate Agreement
Whenever using a cloud-based service, satisfactory assurances must be obtained from the software developer that the service is compliant with HIPAA Rules and the developer must provide those assurances by signing a HIPAA-compliant business associate agreement with the HIPAA-covered entity.
Google will enter into business associate agreements with HIPAA-covered entities, but will not sign covered entities’ own Agreements. Instead, Google has produced a one-size-fits-all Business Associate Addendum which compliance officers are advised to review before signing in order to understand the applicability of the agreement and also their compliance responsibilities.
Since Google Forms is part of Google Drive; and provided a healthcare organization signs Google’s Business Associate Addendum – which covers Google Drive and includes Google Forms – the service can be used to collect, store, and share protected health information without violating HIPAA Rules. We therefore consider Google Forms HIPAA compliant in these circumstances.
Workforce Training is Also Necessary
It is not actually possible for any software solution to be HIPAA compliant, as compliance is determined by how people use the software solutions. It is possible to violate HIPAA Rules with Google Forms, even if the service has been configured correctly and a Business Associate Addendum has been signed.
Therefore, it is important that members of the workforce with access to Google Forms are trained in how to use the service compliantly. Topics to include in workforce HIPAA training include creating forms with appropriate permissions and visibility, and avoiding using protected health information in the title of Forms or any files data will be exported to.
If any healthcare organizations experience difficulties in selecting an appropriate Workspace plan, configuring the services correctly, understanding Google’s Business Associate Addendum, or training members of the workforce on the compliant use of Google Forms, it is advisable to seek professional compliance advice.