SecOps Services HIPAA Compliance

Google supports Health Insurance Portability and Accountability Act (HIPAA) compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance, including when using the SecOps Services.

“Covered Services" means the In-Scope Services, excluding the Excluded Services, each as defined below.

1. In-Scope Services. The Business Associate Agreement (BAA) covers the SecOps services described below (the “In-Scope Services”)

Breach analytics for Chronicle
Mandiant Automated Defense
Mandiant Security Validation
Digital Threat Monitoring
Mandiant Consulting Services
Chronicle SIEM
Chronicle SOAR

2. Exclusions. Notwithstanding the foregoing, the BAA does not cover the following features or uses for the In-Scope Services (the “Excluded Features”):

a. third party services other than services provided by (i) a Google Affiliate or (ii) a cloud based infrastructure provider included in the Services

b. any on-demand analyst support

c. any non-Google services, software or hardware provided to Google personnel in connection with a Mandiant Consulting Services engagement

d. any API Integration tool that is not secure

e. any Services that are not generally available, including beta features and previews

Implementation Guide

Essential best practices:

Execute a BAA. You can request a BAA directly from your account manager.
Disable or otherwise ensure that you do not use services that are not covered by the BAA when working with PHI.
Turn off Excluded Services so that end users do not use services not covered by the BAA.

Previous versions (Ultima modifica: 14 febbraio 2024)