Google Forms is an online tool that anyone can use to create surveys and get feedback from people. Can healthcare organizations use this tool without violating HIPAA rules?
The first requirement when HIPAA covered entities or business associates would want to use a cloud-based service in connection with PHI is a business associate agreement (BAA). If there’s no BAA between the covered entity or business associate and the service provider, using the service violates HIPAA rules. Google has been entering into BAAs with HIPAA-covered entities and business associates. Google’s BAA assures satisfactory compliance with the HIPAA Privacy, Security and Breach Notification Rules. It is not applicable to all Google services, but it covers Google Drive which includes Google Forms.
Aside from the BAA requirement, HIPAA-covered entities and business associates must also check the security features of the product or service. It must be subject to a risk analysis to ensure the confidentiality, availability and integrity of PHI. Identified risks must be reduced to an appropriate and acceptable level. Set up of proper controls is a must to stop unauthorized access and disclosures. Google has this requirement adequately covered in its HIPAA Implementation Guide. The privacy settings of Google Drive (including Forms, Docs, Slides and Sheets) must be configured correctly to limit users who can access the data/content stored in the Drive.
There’s no 100% guarantee that a software solution is completely HIPAA compliant because it is affected by the way users use the tool. Google products (including Google Forms) supports HIPAA compliance and is covered by a BAA. Hence, healthcare organizations can use Google Forms as a tool for its data management without violating HIPAA rules.