Is Google Forms HIPAA Compliant?
Google Forms is HIPAA compliant and can be used to collect, export, and share protected health information provided the service is used as part of a Workspace plan that supports HIPAA compliance, the service settings are configured to comply with the HIPAA Security Rule, and the workforce is trained on its compliant use. It will also be necessary to agree to Googleโs Business Associate Addendum before the service is used to collect PHI.
Google Forms is a survey administration tool that can be used to conduct opinion polls, manage event registrations, and collect information through internal or public-facing websites. When used in ways that do not involve uses and disclosures of data covered by the HIPAA Privacy Rule, the solution could be used by healthcare organizations without HIPAA compliance being a consideration.
However, if Google Forms is used to collect, store, or share protected health information โ or if protected health information is exported to another service for analysis โ the HIPAA Administrative Simplification Regulations apply. Additionally, Google would be considered a business associate of the healthcare organization.
Is Google Forms HIPAA Compliant?
Before any third party’s software application can be used in connection with protected health information, healthcare organizations must ensure safeguards are in place to ensure the confidentiality, integrity, and availability of any protected health information that is created, received, stored, maintained, or transmitted by the software.
Therefore, the first step in ensuring Google Forms is HIPAA compliant is to subscribe to a Workspace plan that includes sufficient safeguards to comply with HIPAA (not all Workspace plans have sufficient safeguards). Thereafter, the safeguards must be configured to comply with the requirements of the HIPAA Security Rule.
Google provides a HIPAA Implementation Guide to help healthcare organizations configure its โCore Servicesโ in compliance with HIPAA. However, system administrators are also required to configure third party services Google Forms may be integrated with. For example, it is possible to integrate services included in Google Drive into Microsoft Teams.
Googleโs Business Associate Agreement
Whenever using protected health information on a cloud-based service, satisfactory assurances must be obtained from the service provider that the service is compliant with HIPAA Rules. The service provider must provide the assurances by signing a HIPAA-compliant business associate agreement with the HIPAA-covered entity.
Google will enter into business associate agreements with HIPAA-covered entities, but will not sign covered entitiesโ own Agreements. Instead, Google has produced a one-size-fits-all Business Associate Addendum which compliance officers are advised to review before signing in order to understand the applicability of the agreement and also their compliance responsibilities.
Since Google Forms is part of Google Drive; and provided a healthcare organization signs Googleโs Business Associate Addendum โ which covers Google Drive and includes Google Forms โ the service can be used to collect, store, and share protected health information without violating HIPAA Rules. We therefore consider Google Forms HIPAA compliant in these circumstances.
Workforce Training is Also Necessary
It is not actually possible for any software solution to be HIPAA compliant, as compliance is determined by how people use the software solutions. It is possible to violate HIPAA Rules with Google Forms, even if the service has been configured correctly and a Business Associate Addendum has been signed.
Therefore, it is important that members of the workforce with access to Google Forms are trained in how to use the service compliantly. Topics to include in workforce HIPAA training include creating forms with appropriate permissions and visibility, and avoiding using protected health information in the title of Forms or any files data will be exported to.
If any healthcare organizations experience difficulties in selecting an appropriate Workspace plan, configuring the services correctly, understanding Googleโs Business Associate Addendum, or training members of the workforce on the compliant use of Google Forms, it is advisable to seek professional compliance advice.