Google BAA Agreement: What It Is and Why You Need It

If you work in the healthcare industry, you’re probably familiar with HIPAA – the Health Insurance Portability and Accountability Act of 1996. This federal law imposes strict rules on how patient information can be stored, shared, and transmitted. HIPAA applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. If you’re a business associate, you may be required to sign a Business Associate Agreement (BAA) with the covered entity you work with.

But what if you’re using Google to store or process patient information? Do you need a BAA with Google? The answer is yes, and that’s where the Google BAA Agreement comes in.

What is the Google BAA Agreement?

The Google BAA Agreement is a contract between Google and its customers who are covered entities or business associates under HIPAA. This agreement sets forth the terms and conditions under which Google will provide its cloud platform services, such as Google Cloud Platform (GCP), Google Workspace (formerly G Suite), and Google Meet, to these customers while complying with HIPAA regulations.

Google offers both a standard BAA and a flexible BAA. The standard BAA covers Google’s core GCP services, and the flexible BAA covers additional services, such as Google Workspace and Google Meet, that customers may use for healthcare purposes. The flexible BAA also provides greater flexibility in terms of the services and products covered, as well as the requirements for each party to comply with HIPAA.

Why do you need the Google BAA Agreement?

If you’re a covered entity or business associate under HIPAA, you’re required by law to enter into a BAA with any third-party service provider who will have access to your patients’ protected health information (PHI). This includes cloud service providers like Google.

By signing the Google BAA Agreement, you can be assured that Google will meet the HIPAA regulatory requirements for safeguarding PHI, such as implementing administrative, physical, and technical safeguards to protect against unauthorized access, use, or disclosure of PHI. Google will also notify you promptly of any security incidents or breaches that affect your PHI and cooperate with you in any investigation or response.

Additionally, the Google BAA Agreement provides liability protection for both parties. Google assumes responsibility for any breaches or violations that result from its own actions or omissions, while the customer remains responsible for any breaches or violations that result from its own actions or omissions.

In conclusion, if you’re a covered entity or business associate in the healthcare industry and are using Google’s cloud platform services for PHI, you should sign the Google BAA Agreement. This agreement ensures that Google will comply with HIPAA regulations and provides liability protection for both parties. If you have any questions about the Google BAA Agreement, feel free to contact Google or consult with legal counsel.