Is Google Forms HIPAA Compliant?

Let me start this article by introducing you to HIPAA & GoogleForms.

What is HIPAA? The Health Insurance Portability and Accountability Act sets the standard for protecting the sensitive data of patients.

What is Google Forms? It is a forms and survey administration platform included in Google's free & web-based Google Docs suite.

When Google Forms does not collect protected health information (PHI), HIPAA compliance is not required. However, if the intent is to collect, store, or share PHI, it is necessary to make Google Forms HIPAA-compliant.

This article delves into finding out if Google Forms is HIPAA compliant.

Know BAA

The BAA is essential for any third-party service provider that handles PHI on behalf of a healthcare provider.

A Business Associate Addendum (BAA) is a legal document. This should not be used interchangeably with the Business Associate Agreement.

• It outlines a business associate's responsibilities to protect protected health information (PHI) through HIPAA regulations.
• It stipulates how the business associate will use, disclose, and safeguard the PHI, ensuring compliance with HIPAA regulations to protect patient privacy and data security.

Does Google Forms meet HIPAA compliance?

Google Forms does not meet HIPAA compliance by default.

This is because the Google Forms service is part of the productivity suite within Google Drive.

Unless included in a Google Workspace plan, it does not include the capabilities required to comply with the technical safeguards of the HIPAA mandate.

Let’s move on to find out how to make Google Forms HIPAA compliant.

Making Google forms HIPAA-compliant

Google workspace plan

Google Workspace includes the capabilities required to comply with the HIPAA mandate. However, some Workspace packages also limit the maximum number of licenses allowed.

Healthcare providers and Business Associates may also want to consider which Workspace services they wish to use in addition to Google Forms and what security measures should be included in these services.

For example, Data Loss Prevention—which prevents sensitive data from being shared with external “guests”—is only included in Google Workspace's Enterprise package.

Sign BAA

Google Forms will be HIPAA compliant only upon signing a BAA (Business Associate Addendum) with Google.

Google Forms can be used to create, receive, maintain, or transmit Protected Health Information provided the organization subscribes to an appropriate Google Workspace package and signs Google’s Business Associate Addendum.

Configuration

Not many configurations are required to make Google Forms HIPAA compliant.

Generally, system administrators need to set file-sharing permissions to prevent forms containing PHI from being shared with external domains. They need to set the default file visibility setting to “Private to the Owner.”

The challenge to making Google Forms HIPAA compliant is ensuring that any other services integrated with Google Forms are also HIPAA compliant (i.e., Google Sheets).

They should configure Administrator Notifications when unusual activity is detected.

Creating Data Loss Prevention policies is a good practice. It details what types of sensitive data can be shared and with whom.

Train Users

The final step to making Google Forms HIPAA compliant is to train members of the workforce on how to use forms compliantly.

In most cases, if the service has been configured properly, the potential for most violations will have been eliminated. However, explaining to users why controls have been put in place may be necessary to prevent attempts to circumnavigate the controls.

Refer to Google’s HIPAA Implementation guide for more information.

Why BlockSurvey is a better alternative

I have discussed BlockSurvey’s features that support HIPAA compliance below.

• BlockSurvey is HIPAA-compliant
• BlockSurvey offers a BAA (Business Associate Agreement) to business associates, ensuring that both parties are legally bound to comply with HIPAA regulations. This agreement outlines the responsibilities of BlockSurvey for safeguarding PHI.
• BlockSurvey encrypts data both in transit and at rest using advanced encryption standards. This ensures that PHI is protected from unauthorized access during data transfer and while stored on BlockSurvey's servers.
• The platform allows for role-based access controls, ensuring that only authorized personnel can access or modify PHI. Administrators can assign different levels of access based on the user's role within the organization.
• BlockSurvey is built with privacy by design principles, ensuring that the platform's architecture inherently supports data protection.
• BlockSurvey has a clear incident response plan in place for dealing with data breaches or security incidents. This includes procedures for notifying affected individuals and relevant authorities promptly.
• BlockSurvey is also GDPR & ISO-compliant, which is an additional foundation for robust privacy practices.
• BlockSurvey is a decentralized survey platform application. This means the data storage is decentralized and present across various nodes.
• The client is the data owner. BlockSurvey cannot view your data, and there is no data tracking with BlockSurvey.

All the above features make BlockSurvey a better alternative for achieving HIPAA compliance.

Conclusion

As you can see, Google Forms is not HIPAA compliant by default. To comply with the HIPAA mandate, Google Forms should be included in a Google Workspace plan. It also needs a few configurations and the signing of a BAA before it is completely HIPAA compliant.

BlockSurvey acts as a promising alternative to Google Forms with advanced features that support HIPAA compliance inherently.

Try BlockSurvey today to achieve HIPAA compliance with ease.