Google Sheets is a service provided by Google to create, view and share spreadsheets. Can HIPAA-covered entities use Google Sheets with identifiable protected health information? Does this violate the HIPAA rules?
The HIPAA Rules require healthcare organizations to safeguard the confidentiality, integrity and availability of PHI. Implementing internal organization controls for data security is pretty straightforward. However, when contracting the services of third parties and giving them access to PHI, there must be strict adherence to HIPAA Rules on privacy, security and breach notifications.
Third-parties that need to access PHI in order to provide services on behalf of HIPAA-covered entities are classified as a business associates. Business associates must agree to comply with the HIPAA Privacy, Security and Breach Notification Rules. This agreement is stipulated in a contract called business associate agreement (BAA) that the business associate will enter into. The BAA must be signed first before any sharing of PHI occurs. Otherwise, both covered entity and business associate are in violation of the HIPAA rules.
Although Google does not view the information (not to mention PHI) created using Google Sheets, the fact that it is stored on Google’s servers and can be potentially accessed means that Google needs to sign a BAA. Google knows about the Health Insurance Portability and Accountability Act requirements when it comes to protecting the privacy of health data. Hence, it made sure that its services keep all data and access to it secure. It is likewise ready to sign a BAA with HIPAA covered entities for using G Suite, which includes the following services: Google Docs, Google Sheets, Google Drive, Google Forms and Google Slides. Google’s terms and conditions explicitly mentions the need to enter into a BAA when HIPAA covered entities want to use G Suite with PHI.
To sum up and answer the question “Is Google Sheets HIPAA compliant?” the answer is YES. Google complies with the HIPAA Rules in providing the following secured products and services: G Suite Basic, G Suite for Business, G Suite for Education and G Suite Enterprise. In addition, a signed BAA stipulates the agreement between covered entities and business associates to protect PHI. Nonetheless, covered entities have the responsibility to configure settings and use Google Sheets in a manner that is not in violation of HIPAA Rules.