HIPAA Compliance with Looker Services

Google supports Health Insurance Portability and Accountability Act (HIPAA) compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance, including when using the Looker Services.

Covered Services

The Business Associate Agreement (BAA) covers Looker’s Services under a Looker-hosted deployment and Looker’s Professional Services (if any) as described in the applicable Looker services agreement to which the BAA is attached, except that the following (the Excluded Services) are not covered by the BAA:

• Any third party Services provided by an entity other than Google or a Google Affiliate, including any Looker Services provided by the third-party entities listed at the following link: https://looker.com/trust-center/privacy/google-cma-subprocessors
• Any API Integration tool that is not secure
• Any Services that are not generally available, including beta features and previews

It is your responsibility (i) to configure the Looker software and manage access to PHI using the services in such a way that complies with the BAA (including this implementation guide), and (ii) to manage the risk of using any Excluded Services in compliance with your obligations under HIPAA.

Customer General Responsibilities

You, as the customer, are responsible for ensuring that the environment and applications that you connect to the services, and that you rely on when using the services, are properly configured and secured according to HIPAA requirements. This is often referred to as the shared security model.

Your Security Responsibilities

Essential best practices:

• Execute a BAA. You can request a BAA directly from your account manager.
• Disable or otherwise ensure that you do not use Services that are not covered by the BAA when working with PHI. To ensure that Services not covered by the BAA are deactivated, you must confirm that the Excluded Services are turned off.

• You are responsible for securing the following and Google takes no responsibility for any breach that results from:

  • your environment
  • your databases
  • your configuration of the Services, including limiting the users’ ability to download a report that includes PHI
  • your configuration of access permissions and security controls for users and third-parties you authorize to use the Services

Recommended Technical Best Practices When Configuring the Services

• Access Controls

  • Use the “access filter” parameter in conjunction with user attributes to apply row, column, or field level data security by user or user group.
  • Limit administrator, developer, and SQL runner access privileges.
  • Limit support access or otherwise ensure that support teams cannot access your Instance.

• Sharing

  • Set up any API usage between Google and your vendor in a secure way.
  • Do not share PHI via the Services or instruct Google to share PHI via the Services (including an API), with a third-party unless a BAA is in place with the third-party.
  • Manage use of the Services such that sharing PHI via email requires the recipient to click on a link within the email message, which redirects to a Looker instance where the recipient must log into the Services before viewing the PHI/content.
  • Do not allow PHI to be sent or attached via support chat.
  • Configure use of the Services to reduce the amount of time query results are cached as these results may include PHI.
  • Restrict the permissions for creating public links.
  • Create and maintain logs when you permit a third party to use aggregated PHI.

• Secure Configuration

  • Implement industry-standard methods of authenticating users such as two-factor authentication or SAML-supported SSO iDP, and to the extent a user relies on SSO, restrict the “login_special_email” permission to a maximum of two (2) users.
  • Apply data set security within the Looker model.
  • At least quarterly, perform an audit on all users, groups, permissions, roles, API keys, public links, and additional access controls, sharing, and security configuration.