Assuming both organizations have HIPAA compliant G-Suite and have signed the necessary legal documents. My gut says this should not be a problem as its done within the google servers, am I missing something?
Asked
Active
Viewed 485 times
2 Answers
1
If as you say, both entities have entered into a business associate agreement with Google they are able to use G Suite for PHI sharing. Google supports HIPAA compliance for G Suite). Provided the method of sharing information is covered by the terms of that business associate agreement, it would be acceptable to share PHI between the two entities. Bear in mind that no software solution can be truly HIPAA-compliant as any software solution, even if a BAA is in place, can be used in a manner that is not compliant with HIPAA Rules. Both entities would therefore need to ensure that G Suite has been configured correctly and appropriate security controls have been activated, access controls have been implemented, and an audit trail must exist.
The two entities that wish to share the PHI may also need to have a business associate agreement in place before any PHI is shared. e.g. if one is a healthcare provider and the other is a vendor.
NetSecSteve
- 66
- 5
0
In principle, if you have the necessary BAA signed with Google as well as the third party who has shared the content , it is possible to be HIPAA compliant in sharing information over say Google Drive. Google has listed products that are compliant and those not in compliance should not be used. The below implementation guide from Google should clarify as to the controls that would be necessary to ensure that you comply.
user3411123
- 101