This guide is for informational purposes only. Google does not intend the information or recommendations in this guide to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of the services as appropriate to support its legal compliance obligations.
For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (known as HIPAA, as amended, including by the Health Information Technology for Economic and Clinical Health — HITECH — Act), Google Cloud's Identity Platform can support HIPAA compliance if properly used. This guide is intended for security officers, compliance officers, IT administrators, and other employees who are responsible for HIPAA implementation and compliance using Google Cloud's Identity Platform.
Under HIPAA, certain information about a person's health or health care services is classified as Protected Health Information (PHI). Google Cloud customers who are subject to HIPAA and wish to use Google Cloud or its Identity Platform with PHI must sign a Business Associate Agreement (BAA) with Google.
Google Cloud customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not signed a BAA with Google must not use Google services in connection with PHI.
The Identity Platform Service
Google Cloud's Identity Platform is an Identity-as-a-Service (IDaaS) solution, providing cloud-based infrastructure to enable identity capabilities to be added to applications or services. The Identity Platform service offers a cloud-based user directory/database and authentication APIs that can minimize the overhead associated with developing and managing identity for your application.
We recommend that you only store the minimum data needed to provide authentication and authorization for your application or service. When creating a user in the Identity Platform database, the only required attribute is an email address (in the case of email/password sign-in), or a Phone Number (in the case of Phone Authentication).
While the Identity Platform supports additional optional attributes including Display Name and Photo URL, as well as the ability to add Custom Attributes/Claims to a user object, PHI should not be stored in any of these attributes. If you have a requirement to store PHI, it is recommended that a general purpose database solution be used within Google Cloud, in accordance with Google Cloud's implementation guidance.
Federated Identity Providers and Anonymous sign-in
Identity Platform supports integration with a range of internet-based social federation providers as well as configurable enterprise federation standards such as SAML and OpenId Connect (OIDC). However, PHI should not be transmitted from these Identity Providers (IdPs) to Identity Platform in tokens, claims, assertions or through any other mechanism.
Any synchronization of PHI from external identity systems to Identity Platform is not recommended or supported and Google Cloud makes no assertions or guarantees as to the security of this information in transit or upon receipt by the third party.
Anonymous accounts should not be used when interacting, managing, or storing PHI.
Software Development Kits and Client Libraries (SDKs)
Identity Platform offers Software Development Kits and Client Libraries that run outside of the Identity Platform service. These SDKs are available client-side (across iOS, Android and Web) or in server code across major development languages (Java, C++, Go, NodeJS etc).
As this code runs outside of the Identity Platform Service, Google Cloud makes no assertions or guarantees as to the security of information outside of the Identity Platform service, such as on an end-user's device. SDKs and Client Libraries should, accordingly, not be used when interacting, managing, or storing PHI.
These additional resources may help you understand how Google services are designed with privacy, confidentiality, integrity, and availability of data in mind.