When configuring Google Forms, administrators should set the sharing permissions to manage data visibility and access. Additionally, admins should disable third-party applications that don’t meet HIPAA privacy standards. Software compliance depends on how the software is used, which is why administrators should adjust privacy settings properly before and during using Google Forms for collecting and managing patient information.
Other possible HIPAA-compliant safeguards include encryption to protect sensitive information, user authentication, and audit controls that track information access.
If a covered entity uses Google Forms to collect protected health information (PHI), it must have a business associate agreement (BAA) in place before collecting PHI through this tool. Google may offer a signed business associate agreement (BAA) that covers Google Forms as well as other Google Workplace services such as Gmail, Docs, Sheets, Calendar, and Slides.