Yes, Google Sheets is HIPAA compliant because Google will sign a Business Associate Agreement (BAA). Google Sheets also offers a range of security features that meet HIPAA standards, including access controls, auditing, and encryption.
Google Sheets is part of G Suite, which uses high-level encryption to protect patient health information (PHI). Google doesn’t access the PHI in Google Sheets but still needs to sign a BAA since this data is stored on Google servers. Google will sign an agreement with businesses that use G Suite services such as Google Sheets, Google Docs, Google Slides, Google Drive, and Google Forms.
While Google Sheets offers HIPAA-compliant security features, covered entities are responsible for maintaining the right security settings. Your healthcare organization must configure Google Sheets to be HIPAA compliant.
Admin console logs and reports are an important part of HIPAA-compliant security for Google Sheets and all other apps in G Suite. Use these tools to monitor user collaboration, examine security risks, track sign-ins, and analyze activity. Administrators can set alerts for activities like suspicious login attempts, suspending users, activating a suspended user, adding a new user, changing a password, and granting or revoking admin privileges.
In Google Sheets, administrators set visibility and access permissions for both files and folders. These settings also manage the sharing and editing capabilities of collaborators.
When using Google Apps, administrators can separate user access for team members who manage PHI. This feature allows an administrator to activate or deactivate specific services for users. For example, since Google+ and YouTube aren’t HIPAA compliant, administrators should turn off these apps. Also, consider disabling third-party applications and add-ons from third-party developers.