Can I use Google Forms for HIPAA Compliance?

We often get asked by customers and prospects about Google Forms and its ability to be used a HIPAA compliant setting.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

• Amazon CloudFront
• Google Drive
• Google Hangouts
• Slack
• WhatsApp
• Yammer
• Zoho

The purpose of this post is to determine if Google Forms offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Google Forms

Google Forms can be used to manage event registrations, create a quick opinion poll, and more.

Google and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms)…”

Does Google Forms Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Google offers a BAA that covers Google Forms, we conclude that Google Forms is a HIPAA compliant service.

It’s important to note however, you must sign a BAA with Google to be HIPAA compliant.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Google Forms is HIPAA Compliant. Make sure you sign a BAA with Google.

HIPAA Privacy Rule Revised Under Hurricane Harvey

In response to Hurricane Harvey, the secretary of the U.S. Department of Health and Human Services (HHS), Tom Price, M.D., declared a public health emergency in Texas and Louisiana.

Along with the declaration, he exercised his authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.

Changes to HIPAA’s Privacy Rule under extreme circumstances

The following provisions of HIPAA’s Privacy Rule has been waived for Texas or Louisiana covered hospitals:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
• The requirement to honor a request to opt out of the facility directory
• The requirement to distribute a notice of privacy practices
• The patient’s right to request privacy restrictions
• The patient’s right to request confidential communications

Other provisions of the Privacy Rule continue to apply, even during the waiver period.

When the Secretary issues such a waiver, it only applies:

1. In the emergency area and for the emergency period identified in the public health emergency declaration
2. To hospitals that have instituted a disaster protocol
3. With respect to the provisions identified above
4. For up to 72 hours from the time the hospital implements its disaster protocol

What happens when the waiver declaration ends?

When the President’s or Secretary’s declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect.

As emergency personnel and medical facilities undertake immediate action to ensure the safety of those affected, the OCR continues to highlight how the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts and to assist patients in receiving the care they need, regardless of whether a waiver is granted.

For more detailed information regarding HIPAA privacy and disclosures in emergency situations, click here.

For more detailed information regarding emergency situation preparedness, planning, and response, click here.

To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.

Please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.

Can I use WhatsApp and be HIPAA Compliant?

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. WhatsApp, which was bought by Facebook in 2014, is a hugely popular secure messaging service.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

• Amazon CloudFront
• Google Drive
• Google Hangouts
• Slack
• Yammer
• Zoho

The purpose of this post is to determine if WhatsApp offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About WhatsApp

WhatsApp is a freeware and cross-platform instant messaging service for smartphones. Its user base grew to more than 1 billion active users by February 2016.

Facebook acquired WhatsApp in 2014 for an astounding $19.3 billion.

WhatsApp and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

Since WhatsApp is now part of Facebook, we checked the websites of both Facebook and WhatApp for mentions of their capabilities on HIPAA compliance for WhatsApp.

For our Facebook search, we keyed in on their:

• Data Policy
• Terms of Service
• Help Center

We could not find any mention of HIPAA or Business Associate Agreement in any of these key resources.

Next, we did the same search on WhatsApp. Their legal docs were bundled into a single page:

• WhatsApp Legal Info.

We could not find any mention of HIPAA or Business Associate Agreement there either.

The Promise of WhatsApp and HIPAA

There have been several thoughtful articles written about using WhatsApp in healthcare:

• Why WhatsApp Could Be A Game-Changer for American Health Care [Fortune]
• Here’s how WhatsApp could disrupt healthcare [Business Insider]
• Under the weather? Whatsapp your doctor [Gadgets Now]

The key takeaways from each article are:

• WhatsApp is popular in healthcare for some countries, but not the U.S.
• WhatsApp is not currently HIPAA compliant.

Does WhatsApp Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since we could not find a sinle mention of HIPAA compliance or Business Associate Agreement on both Facebook and WhatsApp’s sites, we are left to conclude WhatsApp is not HIPAA compliant.

Conclusion: WhatsApp is not HIPAA compliant.

Can I use Yammer and be HIPAA Compliant?

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Yammer, which was bought by Microsoft in 2012, is a popular enterprise social networking service used for private communication within organizations.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

• Slack
• Google Drive
• Amazon CloudFront
• Zoho
• Google Hangouts

The purpose of this post is to determine if Yammer offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Yammer

Yammer is a freemium enterprise social networking service used for private communication within organizations.

Access to a Yammer network is determined by a user’s domain name so that only individuals with approved email addresses may join their respective networks.

The service began as an internal communication system for the genealogy website Geni.com and was launched as an independent product in 2008.

Microsoft later acquired Yammer in 2012 for a whopping $1.2 billion.

Yamer and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

Since Yammer is now part of Microsoft Office 365, we checked Microsoft’s site and found a blog post titled “Yammer bolsters security and compliance with new auditing and reporting capabilities”.

Written on 13 October 2016, Microsoft’s blog post points out:

“As part of the Office 365 Trust Center, Yammer complies with international and regional standards such as the Office 365 Data Processing Agreement with European Union Model Clauses (DPA with EUMC), Health Insurance Portability and Accountability Office 365 Business Associate Agreement (HIPAA BAA), ISO 27001, ISO 27018, Section 508 for web accessibility, and SSAE 16 SOC 2 report.”

Does Yammer Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Microsoft offers one for use with Yammer, we conclude it can be a HIPAA compliant service.

Conclusion: Yammer is covered within Microsoft’s Business Associate Agreement. Make sure you sign a BAA with Microsoft before using Yammer in a HIPAA environment.

Save The Date: Paubox SECURE – a digital health security conference

You can’t have too many conferences, right?

I know there’s a lot out there, so what makes Paubox SECURE different?

We’re putting together Paubox SECURE because there’s a gap in the current list of digital health conferences.

With all the new technologies and innovation being created and adapted within healthcare – there is the problem of managing the vulnerabilities that comes with an interconnected IT landscape.

So we’re gathering some of the best in digital health, cyber security, and compliance to start a conversation, share ideas and learn more.

We’ll be making more announcements as we confirm speakers and the agenda, but some of the topics we’ll cover include:

• Best practices for heathcare IT security in 2017 and beyond
• Anatomy of a ransomware attack
• Security considerations for digital health apps
• Surviving a HIPAA audit when you’ve adopted new tech

Join us for an engaging afternoon of speakers and panel discussions and a fun evening of networking.

Get your early bird tickets now and save 50%.