Is GCP HIPAA Compliant?
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, Resources, Security

In the not-too-distant past, “the cloud” was an ethereal concept for many – a far-off place in the firmament where our data was magically stored and retrieved. 

Yet what the IT department always knew is now more commonly understood: this marvel of technology has its feet planted firmly on the ground. 

We know it because cloud – this physical infrastructure of servers and storage devices located in various, regional data centers – has become commonplace, transforming our culture and providing greater efficiency, agility, and innovation in the way information and services are exchanged. 

For healthcare, cloud-first has numerous silver linings: significant reduction in capital equipment costs; expansion of remote care; and greater data accessibility and interoperability, which in turn can lead to a more informed diagnosis as we’ve seen previously.    

The ultimate benefit, of course, is patients who are helped to live healthier, longer lives.

A HIPAA-Compliant Cloud? 

That said, we continue to hear of significant attacks throughout the first half of 2023, waged against healthcare data:

  • This past March, a ransomware attack hit Onix Group of Kennett Square, Pennsylvania, affecting 319,500 individuals in its various affiliates, including Addiction Recovery Systems, Cadia Healthcare, and others. 
  • Also in March, 33,000 patients in Brooklyn, New York-based Maimonides Medical Center’s (MMC) systems had their data breached. 
  • Sometime in early February, iSpace, a global IT services company that specializes in the technology, healthcare, entertainment, and automotive sectors, suffered a breach that impacted 24,382 individuals.

HIPAA Journal also reports that May of 2023 was also one of the “worst-ever months in terms of the number of breached records, which increased by 330% month-over-month to an astonishing 19,044,544 breached records.”

HIPAA Vault understands, then, if you have questions. HIPAA’s focus on control, privacy, and security should rightly cause providers and developers to ask, 

“Can I really entrust my data to a giant public cloud service provider like Google – one whose servers and data centers are not directly under my watchful eye (as my legacy equipment is), or at least in the same vicinity as my company or healthcare practice?” 

Further, is Google willing to sign a Business Associate Agreement, or BAA – a written pledge required by HIPAA – promising to do its part in protecting and keeping sensitive healthcare data private? And what about issues of monitoring and logging, and disaster recovery?” 

Those are important questions, and key components of a HIPAA-compliant cloud. 

So before we go any further, let’s review a more complete list of what actually makes a cloud HIPAA compliant, so we can see if GCP with HIPAA Vault meets the test.

A  HIPAA-compliant cloud should:

  1. ensure that physical, technical, and administrative safeguards are in place to protect electronic protected health information (ePHI) – whether in transit or in storage in a data center – from unauthorized access, use, and disclosure. (The Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164).
  1. provide 24/7 auditing and monitoring capabilities to detect and report security incidents and breaches. (The Security Rule, Section 164.308(a)(1)(ii)(c); 164.312(1)(b) – Audit controls (required)). 
  1. ensure the confidentiality, integrity, and availability of all electronically protected health information (ePHI) through encryption and decryption, unique user identification and password protection (2FA), and backup and recovery measures. (The Security Rule, Technical Safeguards § 164.312(a)(2)(iv)); CFR 164.308(a)(1)).
  1. conduct a risk assessment of the cloud deployment and implement appropriate security measures (e.g. vulnerability scans) to address identified risks. (Section 164.308(a)(1)(ii)(A))
  1. ensure that all personnel with access to ePHI receive training on HIPAA regulations and security practices. (Administrative Requirement of the Privacy Rule (45 CFR §164.530) and Administrative Safeguard of the Security Rule (45 CFR §164.308)).
  1. enter into a Business Associate Agreement (BAA) with any cloud service provider that will have access to ePHI, outlining the responsibilities of each party for protecting ePHI and complying with HIPAA regulations. (The Privacy Rule, 45 CFR 164.502(e), 164.504(e), 164.532(d)).

Meeting these requirements helps to ensure that a cloud deployment is compliant with HIPAA regulations and that ePHI is adequately protected.

Google’s BAA 

Since HIPAA Vault is a Managed Security Service Provider (MSSP) and a trusted Google Cloud partner, we can speak directly to concerns over HIPAA compliance as it relates to the proven solutions we’ve built on the Google Cloud Platform (GCP). 

We chose Google not merely for its compliant infrastructure and wide range of services – from compute and storage, to networking and analytics – but because GCP allows us to help you to build, deploy, and scale your applications with unprecedented speed, security, and economy.

For providers, that means we handle the technical and security concerns, while you concentrate on your business.

For developers, that means you save money, while your app gets to market faster. 

And the good news is, Google does offer a BAA, and ensures that “the Google products covered under the BAA meet the requirements under HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report.”

An extensive list of Google’s services are covered under their BAA – everything from Cloud Build and Cloud SQL to enterprise-level services such as Big Query, API Gateway, and Google Kubernetes Engine (GKE) – can be found here.  

(Note: Though not technically part of the Google Cloud Platform (GCP), Google Workspace (formerly GSuite) is part of the broader Google Cloud suite of services which includes GCP.  We cover the question Is Google Workspace HIPAA compliant? separately).

As an official Google Cloud Partner, HIPAA Vault can help you expedite a BAA with Google for your required service. 

Compliance and Security

In terms of audits and security, Google maintains a world-class internal audit team for compliance, security, and ongoing review of global regulations. 

Before and after a product launch, a privacy team oversees automated processes that audit data traffic. In addition to inside security, privacy, and compliance teams, outside experts are consulted to perform regular security assessments.

From an infrastructure perspective, Google’s software, servers, internal machines, and secure data centers are all aimed at providing superior data storage and protection with end-user privacy safeguards. 

This high level of technical expertise and consistent service is unmatched and has helped establish a generally accepted truth about the cloud, as Gartner notes:

“The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.”

In other words, maintaining compliance is also up to you, as your staff observes compliant practices like protecting passwords, avoiding phishing emails, etc.

Unique User Identification, 2FA

GCP provides mechanisms for unique user identification, such as Identity-Aware Proxy (IAP) which provides the user’s identity and unique user IDs. Additionally, Google OAuth Login service provides a unique session token for user authentication, and Firebase Authentication provides silos of unique user identifiers.

Two-factor authentication, or 2-step verification, is another tool provided by Google that HIPAA Vault’s administrators use to add an additional security layer for accessing a server. This means that in addition to the standard username/password combination, a unique verification code is generated and sent to users each time they seek to log in to their server.

The Necessity of Proven Encryption

Encryption protects your data by replacing it with ciphertext, making it unreadable until decrypted. Cybercriminals seek to exploit sensitive data to their advantage, bypassing these encryption protections by attempting to access keys or crack encryption algorithms.

The National Institute of Standards and Technology (NIST) has set the standards and requirements for cryptographic modules for U.S. federal agencies with Federal Information Processing Standard (FIPS) 140-2. Covering hardware, software, and/or firmware, it establishes a validated certification for how sensitive, unclassified information is stored. 

The Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318), which ensures the encryption of data that is “in transit” (outside Google’s physical boundaries to the customer, and the wide area network (WAN) between data centers), and “at rest.”

In addition, all at-rest data is chunked, individually encrypted, then “wrapped” with additional encryption keys. Encryption is also maintained throughout the backup process (see below). Google offers these multiple layers of data encryption for their customers by default. 

As a data-security pioneer with one of the largest, most security-conscious private networks in the world, Google continually invests in new innovations for encryption technology, including Key Transparency and post-quantum cryptography. 

A cloud-hosted key management service (KMS) also allows you to manage cryptographic keys in the same way as you would for on-premises environments.


High availability for your HIPAA data requires high redundancy. With Google’s “redundancy of everything” approach, your data is systematically replicated multiple times across active servers and distributed geographically. 

Service continuity is ensured by a highly redundant system, one where the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data. 

In other words, your data is always available within a secondary system, should one system fail, and encryption is maintained throughout. 

Distributed, compliant data centers with redundant security, power, and environmental controls minimize the impact of a natural disaster or a local power outage, so your sensitive data will remain available.  

Audit Logs

HIPAA requires that detailed audit logs be kept, recording who has accessed ePHI on your server(s) and why they’ve accessed it – both failed and successful log-in attempts. This system and network access information, including any security event or malicious software, attempted breach, or even attempts to delete or modify the logs themselves, must be kept for a minimum of six years. 

Google will keep all admin activity, data access, and system event logs for varying lengths of time, which can then be exported so you can retain them for as long as needed. 

Why GCP with HIPAA Vault? 

Clearly, Google Cloud meets the test for enterprise web hosting and HIPAA compliance. How the end-user manages the controls and HIPAA policies becomes the real issue. 

HIPAA Vault’s expertise with GCP can help your enterprise navigate these complex cloud concerns, allowing for significant cost-savings and greater peace of mind knowing your critical patient data is in good hands.   

Like Google, HIPAA Vault embraces a “zero trust” security approach in all our HIPAA cloud enterprise solutions.

The idea here is that no user or network should ultimately be “trusted,” and all attempts to access a business system or application must be verified before any level of access is granted. 

This extends to the sharing of sensitive data – both from “insiders” within your company (an often overlooked, but frequent cause of data loss) and external contractors – which makes encryption a necessity. 

For this reason, all of our HIPAA GCP enterprise hosting solutions are designed with user controls to protect your sensitive data, both inside and outside your network.

Our advanced automation, detection, and mitigation capabilities, and proven ability to configure your environment and servers for HIPAA compliance, help ensure that your critical data is well protected.

Questions about how we can help your organization harness the benefits of the cloud? Call or chat us today! 760-290-3460, or