Under the Health Insurance Portability and Accountability Act (HIPAA), certain information about a person’s health or health care services is classified as Protected Health Information (PHI).
Google is committed to ensuring that our customers' data is safe, secure and always available. Data Studio supports HIPAA compliance (within the scope of the Google Cloud Platform Business Associate Agreement (BAA)) but ultimately customers are responsible for evaluating their own HIPAA compliance.
This article is intended to help security officers, compliance officers, IT administrators, and other employees in organizations who are responsible for HIPAA compliance use Data Studio in a way that meets your compliance needs.
This guide is for informational purposes only. Google does not intend the information or recommendations in this guide to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of Data Studio as appropriate to support its legal compliance obligations.
Data Studio customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Data Studio in connection with PHI. Customers who are subject to HIPAA and wish to use Data Studio with PHI must execute a Google Cloud Platform Business Associate Agreement (BAA) with Google before proceeding. Customers who have not signed the Google Cloud Platform BAA with Google must not use Data Studio in connection with PHI. Please note that the previous Data Studio BAA can no longer be accepted by new customers.
Learn more about HIPPA compliance on Google Cloud Platform.
How to use Data Studio with PHI
Data Studio customers who are subject to HIPAA can access Data Studio for use with PHI under the BAA as long as the customer configures Data Studio to be HIPAA compliant.
For Google Workspace and Cloud Identity customers
The Google Admin console has specific settings that help ensure that data is secure, and is used and accessed only in accordance with your requirements. Here are some actionable recommendations to help you address specific concerns.
Monitoring account activity
The Admin console reports and logs make it easy to look for potential security risks, measure user collaboration, track who signs in and when, analyze administrator activity, and much more. To monitor logs and alerts, admins can configure notifications when suspicious events occur. The admin can also review reports and logs on a regular basis to examine potential security risks. For example, Data Studio’s Admin console report can show which files are shared with external domain users. Admins should consider periodically viewing these reports for employees who manage PHI to ensure PHI is not inadvertently shared.
Data Studio users can control the editing and sharing capabilities of collaborators when sharing Data Studio assets. We recommend that users avoid putting PHI in titles of such assets.
Admins can set file sharing permissions to the appropriate visibility level for the Workspace or Cloud Identity account. Admins can “Restrict” or “Allow” users to share documents outside the domain. We suggest that you configure file sharing permissions to prevent users who work with PHI from sharing Data Studio assets outside of your organization.
Technical support services
You must not not provide PHI to Google when accessing Data Studio technical support services.
Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. To demonstrate our compliance with security standards in the industry, in addition to implementing the Google Cloud Business Associate Agreement, Google has sought and received multiple certifications for Data Studio..