Google Forms is a survey administration tool that allows forms to be created for data collection purposes, but is Google Forms HIPAA compliant and suitable for use by healthcare organizations?

Google Forms can be used to conduct opinion polls, manage event registrations, or collect information through internal or public-facing websites.

Google Forms could be used in a number of ways that would not involve contact with any data covered by HIPAA Rules and, as such, the solution could be used by healthcare organizations without falling afoul of HIPAA Rules.

However, if Google Forms is used to collect protected health information or in any other capacity that requires contact with PHI, as the developer of the solution, Google would be considered a business associate and HIPAA would apply to Google Forms.

Is Google Forms HIPAA Compliant?

Before any software application can be used in connection with protected health information, healthcare organizations must ensure that safeguards are in place to ensure the confidentiality, integrity, and availability of any protected health information that is created, received, stored, maintained, or transmitted by that software.

Satisfactory assurances must be obtained from the software developer that the application is compliant with HIPAA Rules and the developer must provide those assurances by signing a HIPAA-compliant business associate agreement with the HIPAA-covered entity. The business associate agreement outlines the responsibilities the developer has with respect to protected health information and HIPAA.

Google does enter into business associate agreements with HIPAA-covered entities and several of its software solutions and services are covered by its BAA, but not all its products and services.

Since Google Forms is part of Google Drive, which is covered by Google’s BAA, the solution can be considered compliant with HIPAA Rules. Provided a healthcare organization obtains a signed BAA from Google that covers Google Drive and includes Google Forms, the solution can be used in connection with ePHI without violating HIPAA Rules. We therefore consider Google Forms to be HIPAA Compliant.

That said, it is not actually possible for any software solution to be HIPAA compliant per se, as compliance is about the people that use software solutions. It is possible to violate HIPAA Rules with Google Forms, even with a BAA in place.

As with all software and cloud-based solutions, access should be restricted to authorized individuals, any data collected, processed, stored, or transmitted through the solution must be protected at all times, audit controls must be in place, and logs must be created and checked regularly for unauthorized access. Provided Google Forms is correctly configured, and other measures are in place to ensure it is used in a HIPAA-compliant manner, the solution is suitable for use in healthcare.