The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individuals' protected health information (PHI). These organizations meet the definition of “covered entities” or “business associates” under HIPAA.
Customers that are subject to HIPAA and want to utilize any Google Cloud products in connection with PHI must review and accept Google's Business Associate Agreement (BAA). Google ensures that the Google products covered under the BAA meet the requirements under HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report.
The Google Cloud Platform BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence), and the services listed below.
What is the purpose of the BAA (Business Associate Agreement) with Google and how is it executed?
The BAA allows covered entities and business associates to enter into an agreement with Google that governs the processing of PHI through Google Cloud.
In order to execute a BAA, organizations that use Google Cloud should talk to their account managers about entering into a BAA with us.
Is having a BAA with Google Cloud sufficient to ensure my organization’s compliance with HIPAA?
The covered entity that enters into the BAA with Google Cloud is responsible for building a HIPAA compliant solution using the approved Google Cloud services. After the solution is built, the covered entity is responsible for the implementation of compliance controls.
Can my organization request to modify the BAA?
The BAA is not subject to modification.