Any capitalized terms used but not otherwise defined in this BAA will have the meaning given to them in either (i) HIPAA and the HITECH Act or (ii) the Services Agreement(s).

• “Business Associate” has the definition given to it under HIPAA at 45 CFR § 160.103.
• “Breach” has the definition given to it under HIPAA at 45 CFR § 164.402. A Breach will not include an acquisition, access, use, or disclosure of PHI with respect to which Google has determined in accordance with 45 C.F.R. § 164.402 that there is a low probability that the PHI has been compromised.
• “Breach Notification Rule” means the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414.
• “Covered Entity” has the definition given to it under HIPAA at 45 CFR § 160.103.
• “Covered Services” means the Google products and services specifically identified at https://cloud.google.com/security/compliance/hipaa/ and, as applicable at https://cloud.google.com/terms/secops/hipaacoveredservices, as being covered by the Google Cloud Platform BAA.
• “Designated Record Set” has the definition given to it under HIPAA at 45 CFR § 164.501.
• “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended, including the Privacy Rule, the Breach Notification Rule and the Security Rule, and amendments to HIPAA made by the HITECH Act.
• “HIPAA Implementation Guide” means the informational guide that Google makes available describing how the Covered Services may be configured by Customer in connection with Customer’s HIPAA compliance efforts. The HIPAA Implementation Guide for the Covered Services is available for review at the following URL: https://cloud.google.com/security/compliance/hipaa/ and, as applicable at https://cloud.google.com/terms/secops/hipaacoveredservices.
• “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
• “Privacy Rule” means the HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164.
• “Protected Health Information” or “PHI” has the definition given to it under HIPAA at 45 CFR § 160.103, and for purposes of this BAA is limited to PHI within Customer Data to which Google has access through the Covered Services in connection with Customer’s permitted use of Covered Services.
• “Required by Law” has the definition given to it under HIPAA at 45 CFR § 160.103.
• “Security Incident” has the definition given to it under HIPAA at 45 CFR § 164.304.
• “Services Agreement(s)” means the written agreement(s) entered into between Google and Customer for provision of the Covered Services, which agreement(s) may be in the form of online terms of service.
• “Security Rule” means the HIPAA Security Rule, 45 CFR parts 160 and 164, subparts A and C.

 This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Google, as a result, is acting as a Business Associate or Subcontractor of Customer under HIPAA. This BAA does not apply to any Google product, service, or feature that is not a Covered Service. This BAA does not apply to PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services (including Customer’s use of its offline or on-premise storage tools or third-party applications).

(a) Performance of the Agreement. Except as otherwise limited by this BAA, Google may only use and disclose PHI for or on behalf of Customer as permitted or required by the Services Agreements, this BAA, or as Required by Law.  

(b) Management, Administration, and Legal Responsibilities. Google may use and disclose PHI for the proper management and administration of Google business and / or to carry out Google’s legal responsibilities, provided that any disclosure of PHI by Google for such purposes may only occur if: (i) Required by Law; or (ii) Google takes appropriate measures to ensure that any person to whom PHI will be disclosed is bound by written obligations that provide the same material level of protection for PHI as this BAA.

When Google is acting as a Business Associate under this BAA, Google will fulfill the following obligations:

(a) Appropriate Safeguards. Google will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services. Google will implement all requirements of the HIPAA Security Rule with regard to electronic PHI.

(b) Reporting and Related Obligations.

(i) Security Incident and Breach Reporting. Google will promptly notify Customer of (i) any Security Incident of which Google becomes aware, subject to Section 4(b)(iii); and (ii) any Breach that Google discovers, including Breaches of unsecured PHI in accordance with 45 CFR § 164.410 of the Breach Notification Rule, provided that any notice for Breach will be made promptly and without unreasonable delay. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps Google recommends Customer take to address the Breach.

(ii) Notification. Google will send any applicable notifications to the notification email address provided by Customer in the Agreement or via direct communication with Customer.

(iii) Unsuccessful Attempts. Notwithstanding Section 4(b)(i), this Section 4(b)(iii) will be deemed as notice to Customer that Google periodically receives unsuccessful attempts (including without limitation pings, unsuccessful log-on attempts, denial of service attacks, port scans and attempts) for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Google’s systems and the Covered Services. Customer acknowledges and agrees that even if such events constitute a Security Incident, Google will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 4(b)(iii).

(c) Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Google will take appropriate measures to ensure that any Subcontractors used by Google to perform its obligations under the Agreement that require access to PHI on behalf of Google are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Google uses Subcontractors in its performance of obligations hereunder, Google will remain responsible for their performance as if performed by Google.

(d) Access and Amendment. Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Covered Services, including whether Customer maintains such PHI in a Designated Record Set within the Covered Services. The parties acknowledge and agree that Google does not maintain PHI in a Designated Record Set for Customer.Google will make available PHI for amendments (and incorporate any amendments, if required) and accountings in accordance with 45 CFR § 164.526 and 45 CFR § 164.528 of the Privacy Rule. Google will provide Customer with access to Customer’s PHI via the Covered Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment, but will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Customer is responsible for managing its use of the Covered Services to appropriately respond to such individual requests.

(e) Accounting of Disclosures. When requested by Customer, Google will document disclosures of PHI by Google and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA. Because Google is unable to readily identify which Individuals are identified or what types of PHI are included in PHI Customer or any of Customer’s End User submit to the Covered Services under Customer’s Account, Customer will be solely responsible for identifying any Individuals who may have been included in PHI that Google has disclosed and for providing a description of the PHI disclosed.

(f) Secretary’s Access to Records. Google will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Google on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA to the extent required by law, and subject to all applicable legal privileges. The Legal Process section of the General Terms of the Agreement will apply to Google’s response to such requests by the Secretary.

(g) Return/Destruction of Information. On termination of the Agreement, Google will return or destroy all PHI received from Customer, or created or received by Google on behalf of Customer; provided, however, that if such return or destruction is not feasible, Google will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

(h) Performance of a Covered Entity’s Obligations. To the extent Google agrees in writing to carry out a Covered Entity’s obligation under the Privacy Rule, Google shall comply with the requirements applicable to such obligation.

(a)   Impermissible Requests.  Customer will not request that Google or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate).

(b)   Use of Service Controls. For Customer’s End Users that use the Covered Services in connection with PHI, Customer will use controls available within the Services, including those detailed in the HIPAA Implementation Guide, to ensure its use of PHI is limited to the Covered Services. Customer acknowledges and agrees that the HIPAA Implementation Guide is provided by Google solely as an optional, informational guide with respect to Customer’s configuration options, and that Customer is solely responsible for ensuring that its and its End Users’ use of the Covered Services complies with HIPAA and the HITECH Act. 

(c)  Appropriate Safeguards. Customer will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services

(a) Term. The term (“Term”) of this BAA will begin on the BAA Effective Date and end on the earlier of (i) termination in accordance with Section 6, or (ii) the expiration or termination of all Services Agreements under which Customer has access to a Covered Service.

(b) Termination for Breach. If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 10 days’ written notice (“Termination Notice Period”) to the breaching party unless the breach is cured within the Termination Notice Period. If a cure under this Section 6(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 6(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

(c) Use of the Services after Termination. If this BAA is terminated earlier than the Services Agreements, Customer may continue to use the Services in accordance with the Services Agreements on the condition that, before the end of the Termination Notice Period, Customer deletes any PHI it maintains in the Covered Services and immediately upon termination ceases to further create, receive, maintain, or transmit such PHI to Google.

(a) Survival. Sections 4(g) (Return/Destruction of Information) and 7 (Miscellaneous) will survive termination or expiration of this BAA.  

(b) Effects of BAA. To the extent this BAA conflicts with the remainder of the Services Agreement(s), this BAA will govern. This BAA is subject to the “Governing Law” section in the Services Agreement(s). Except as expressly modified or amended under this BAA, the terms of the Services Agreement(s) remain in full force and effect.

(c) No Third Party Beneficiaries. This BAA does not give any person other than Customer and Google, and their respective successors or assigns, any rights or obligations under this BAA.