A risk analysis must be completed to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and brought down to an acceptable level. Access controls must be adapted to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to stop unauthorized disclosures, and an audit trail must be maintained.
Further, healthcare groups covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor prior to any electronic protected health information is disclosed, even if the service provider says it does not access customer data.
Google has necessary security controls in place to safeguard data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance depends on whether Google is willing to enter into a business associate agreement with HIPAA-covered groups and their business associates.
Google’s Business Associate Agreement
Google will sign a business associate agreement with healthcare groups for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging service in Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.
HIPAA-covered groups be complete a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be implemented, although it is the responsibility of the covered entity to ensure that the services are used in a fashion compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.