HIPAA Covered Entities and Business Associates need to know how to make Google Forms HIPAA compliant before using the Workspace service to collect, store, or share Protected Health Information (PHI).
Google Forms is a web-based service that is part of the Google Workspace suite of productivity and collaboration tools. The service can be used by healthcare organizations to create surveys and obtain feedback from employees and patients – which can then be exported to secondary services such as Google Sheets for analysis.
When Google Forms is used to collect, store, or share PHI, it is necessary the service is configured and used in compliance with HIPAA. This is not always a straightforward process because not all Workspace packages include capabilities to support HIPAA compliance plus it may be necessary to implement secondary measures to ensure the confidentiality, integrity, and availability of PHI.
Which Google Workplace Packages support HIPAA Compliance?
All Google Workspace packages from “Business Standard” and above support HIPAA compliance – although only the Enterprise plan supports HIPAA compliance as a standalone option. Healthcare organizations using less-comprehensive packages will need to implement secondary measures (i.e., event logs) or upgrade the existing package to make Google Forms HIPAA compliant.
Alternatively, Covered Entities and Business Associates can integrate Google Drive (which includes Google Forms, Sheets, Docs, and Slides) into a third party suite of productivity and collaboration tools such as Microsoft Teams. In such cases, it will be necessary to enter into Business Associate Agreements with both Google and (if integrating Drive into Teams) Microsoft.
Google’s Business Associate Agreement
Similar to a number of large cloud service providers, Google will not sign Covered Entities’ Business Associate Agreements and insists Covered Entities (and Business Associates where appropriate) sign its Business Associate Addendum. This is because it would be too complicated to manage and comply with separate agreements developed by healthcare organizations with differing needs.
The Business Associate Addendum is straightforward and appears not to have any clauses that Covered Entities or Business Associates may have issues with. Nonetheless, it is advisable to review the document thoroughly before signing it to ensure there are no “Customer Responsibilities” that will be difficult to maintain as a violation will invalidate the Addendum.
Making Google Forms HIPAA Compliant
Once an organization has subscribed to a Workplace package that supports HIPAA compliance and signed the Business Associate Addendum, it is still necessary to configure the organization’s account in such a way to make Google Forms HIPAA compliant. Help is available with this task via the Google Workspace and Cloud Identity HIPAA Implementation Guide (PDF).
Fortunately, there is not a lot of configuring required to make Google Forms HIPAA compliant. System administrators only need to configure sharing permission and form visibility controls if using Drive services to collect, store, or share PHI. If using a wider range of Workspace services, it may also be necessary to apply further sharing restrictions and Data Loss Prevention policies.
Training the Workforce on Compliant Usage
The final stage in making Google Forms HIPAA compliant is training members of the workforce on how to use the service compliantly. Although many of the administrative controls will forcibly prevent users from disclosing PHI impermissibly, some users may still have access to options such as the visibility of forms and folders and the editing capabilities of collaborators.
Consequently, it is important members of the workforce receive training on how to use Google Forms in compliance with HIPAA (as well as any other core services used in Google Workspace) to ensure visibility is limited to the minimum necessary, editing in monitored, and inadvertent disclosures – such as including PHI in the titles of Forms – are avoided.
Conclusion: Is Google Forms HIPAA Compliant?
Although the service is not HIPAA compliant by default, it is not difficult to make Google Forms HIPAA compliant. Covered organizations have to ensure they are using a suitable Workspace package, sign Google’s Business Associate Addendum, configure the service to prevent impermissible disclosures, and train members of the workforce how to use the service compliantly. However, If your organization experiences challenges with making Google Forms HIPAA compliant, it is advisable to seek professional compliance advice.