Is Google Forms HIPAA Compliant?

HIPAA compliance depends on the product (Google Forms) as well as how that product is used (You):

1. Product: Google Forms version that you use must have security and privacy features such as data encryption during transit and at rest, audit logs, access controls and sharing permissions necessary safeguards to protect PHI.

2. Process: You must define the purpose of the form, identify and limit the PHI that has to be collected in the form. You should also define how the collected PHI is handled, who has access to it and report if there is any data breach.

Additionally, you must also train your co-workers who handle PHI about the HIPAA regulations and how to use the product to ensure HIPAA compliance.

Google Forms created using a personal account are not HIPAA compliant by default. You can upgrade to Google Workspace that supports HIPAA compliance or use our templates that are created in our HIPAA compliant Google Workspace.

If you subscribe to the Google Workspace platform, sign the Business Associate Addendum with Google, and set up access control for your accounts to meet HIPAA requirements. To review and accept this BAA,

1. Login to the admin console using the administrator account for your Google Workspace

2. In the Admin console, click on the menu icon > click Account > click Account settings

3. In the Account settings page, click Legal and Compliance > click Security and Privacy Additional Terms

4. Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment

5. Click Review and Accept > answer all three questions to confirm that you are a HIPAA covered entity or Business associate of the covered entity

6. To accept the HIPAA BAA, click OK .

Compliance with HIPAA is essential to protect patients' privacy and ensure the security of their health information. Are you using Google Forms correctly so that it does not violate HIPAA compliance?

The HIPAA Privacy Rule outlines the permitted uses and disclosures of protected health information (PHI). When using Google Forms to collect PHI, you should follow these steps:

• Limit PHI collection: You must set up your Google Forms to collect only the minimum necessary PHI. You should avoid asking for sensitive information unless it is required for the specific purpose of the form.

• Data retention and deletion: If you must collect sensitive patient data, establish clear data retention policies and procedures for the collected PHI. Ensure that the data is permanently removed from Google Forms and the linked Google Sheets when it is no longer needed.

• Notice of privacy practices: Provide a notice that informs the individuals about their privacy rights and how they may exercise these rights, how their medical information may be used and disclosed. You can create a section for this including notice in Google Forms or publish it on your website and add the link in Google Forms used to collect PHI.

• Get consent & authorization: Setup your google forms to get consent for use and disclosure of PHI to carry out treatment, payment and health care operations.

The HIPAA Security Rule defines the administrative, physical and technical safeguards to protect the PHI. When using Google Forms to collect PHI, you should follow these steps:

• User login: Implement user authentication and access controls to prevent unauthorized individuals from accessing PHI. You must not use a common login account for your team. Otherwise system access and activity cannot be identified and tracked by user.

• Implement access controls: Share your Google Forms and the linked Google Sheets with only the authorized individuals to restrict access to the collected PHI. Unlike Google Forms, Google Sheets provides granular access control features. Set up proper user authentication, permission levels, and access restrictions to protect data confidentiality by using Google Sheets to share data with your team.

• Email notifications: The Security Rule does not expressly prohibit the use of email for sending e-PHI, but recommends implementing policies and procedures to restrict access. Since Google Forms response receipts feature does not allow you to customize the content, you should enable this option only if it is absolutely required.

• Prefill links: Google Forms allows you to prefill answers by passing values via url parameters. You must not use this feature to prefill PHI as it will be exposed.

The problem with these restrictions is that it limits the features you can use and degrades patient experience. For example, without showing the name and email, it is harder for the patient to know if this prefill link is meant for him and harder for you to identify the patient that filled this form.

Our addon provides key functionality that allows you to create HIPAA compliant Google Forms while enhancing patient experience.

• Mark fields as PHI: You can mark a field as Protected Health Information to secure sensitive healthcare data and automatically limit access to PHI when exporting the data to Google Sheets or sending notification emails.

• Mask PHI in email: Automatically mask PHI when sending responses on email to ensure that patient data is only visible to authorized personnel and not inadvertently disclosed. You can also customize the message to include only the relevant details in the email.

• Collect signatures: You can add a signature field in the form to collect e-signatures for acknowledgement of privacy practices, informed consent for treatment and authorization for use and disclosure of medical data.

• Create secure prefill links: Google Forms allows you to prefill answers, but the PHI will be exposed since the values are passed via url parameters. You can now share prefill links without exposing PHI that improves patient experience and reduces data entry errors.

• Set field permissions: Any field that you add in Google Forms will be editable for the users. If you prefill answers in the form, users can easily modify them before submitting the form. You can now make the fields as editable, read-only or hidden in Google Forms.

• Versioning and audit logs: Google Forms does not have versioning. Any changes to the submitted form responses cannot be easily tracked. You can now provide a secure option for the users and collaborators to edit responses that are automatically tracked and included in the audit.