The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Google Professional Data Engineer GCP

  1. Home
  2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Google Professional Data Engineer GCP
  • A federal law applicable in USA
  • establishes data privacy and security requirements for individuals’ protected health information (PHI)
  • organizations responsible for protecting individuals’ protected health information are defined as “covered entities” or “business associates”.
  • Customers should review Google’s Business Associate Agreement (BAA).
  • Google products under the BAA meet the HIPAA requirements and covers entire infrastructure as
    • all regions
    • all zones
    • all network paths
    • all points of presence

Customer Responsibilities

  • customer should find they are a Covered Entity (or a Business Associate of a Covered Entity)
  • if yes, so BAA is needed for interactions.
  • Google provides a secure and compliant infrastructure for the storage and processing of PHI customer is responsible for
    • environment and applications built on GCP Platform
    • their configuration and security as per HIPAA requirements.
    • This is referred as shared security model in the cloud.

Essential best practices:

  • Execute a Google Cloud BAA
  • Ensure of not using non- BAA GCP products

HIPAA  best practices:

  • Use IAM best practices
  • Find if organization has encryption requirements above HIPAA security rule.
  • Enable Object Versioning in Cloud Storage.
  • Configure audit log export destinations..
  • Configure access control for the logs
  • Periodically review audit logs for security and compliance
  • Encrypt PHI or other sensitive data
  • Avoid including PHI in
    • Dialogflow Enterprise Agents definition
    • a resource’s metadata
    • within build config files, source control files, or other build artifacts.
Menu