When you’re building a healthcare-related application, not only do you need the right code and a reliable user experience, sometimes it feels like you need to be a lawyer too. Often, there are several additional steps to take to into consideration. In particular, some healthcare-related applications and services in the United States are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA establishes standards around privacy, security, and breach notification to protect individually identifiable health information. When building in the cloud, it can be challenging to ensure that you’re complying with these regulations.

To serve developers who want to build these applications on Google's infrastructure, we're announcing support for Business Associates Agreements (BAAs) for our customers. A BAA is the contract between a Covered Entity (you, the developer) and their Business Associate (Google) covering the handling of HIPAA-protected information.

Today’s news joins our other compliance efforts across Cloud Platform and Google Enterprise:

  • ISO 27001: ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. After earning ISO 27001 for Google Apps in 2012, we renewed our certification again last year for Google Apps and received the certification for Google Cloud Platform.
  • SOC2, SSAE 16 & ISAE 3402: Companies use the SOC2, SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. We’ve successfully completed these audits for Google Apps every year since 2008 (when the audits were known by their previous incarnation, SAS 70) and we did so again last year for Google Apps and Google Cloud Platform.
  • HIPAA: Late last year, we started entering into BAAs to allow Google Apps customers to support HIPAA regulated data. This year we have begun entering into BAAs with our Google Cloud Platform customers.

We’re looking forward to supporting customers who are subject to HIPAA regulations on Google Cloud Platform. If you are a Covered Entity under HIPAA and would like more information, please contact our team.

-Posted by Matthew O’Connor, Product Manager