Under the Health Insurance Portability and Accountability Act (HIPAA), certain information about a person’s health or health care services is classified as Protected Health Information (PHI).
Google is committed to ensuring that our customers' data is safe, secure and always available. Looker Studio supports HIPAA compliance (within the scope of the Google Cloud Platform Business Associate Agreement (BAA)) but ultimately customers are responsible for evaluating their own HIPAA compliance.
This article is intended to help security officers, compliance officers, IT administrators, and other employees in organizations who are responsible for HIPAA compliance use Looker Studio in a way that meets your compliance needs.
Disclaimer
This guide is for informational purposes only. Google does not intend the information or recommendations in this guide to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of Looker Studio as appropriate to support its legal compliance obligations.
Customer responsibilities
Looker Studio customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Looker Studio in connection with PHI. Customers who are subject to HIPAA and wish to use Looker Studio with PHI must execute a Google Cloud Platform Business Associate Agreement (BAA) with Google before proceeding. Customers who have not signed the Google Cloud Platform BAA with Google must not use Looker Studio in connection with PHI. Please note that the previous Looker Studio BAA can no longer be accepted by new customers.
Learn more about HIPPA compliance on Google Cloud Platform.
How to use Looker Studio with PHI
Looker Studio customers who are subject to HIPAA can access Looker Studio for use with PHI under the BAA as long as the customer configures Looker Studio to be HIPAA compliant.
For Google Workspace and Cloud Identity customers
The Google Admin console has specific settings that help ensure that data is secure, and is used and accessed only in accordance with your requirements. Here are some actionable recommendations to help you address specific concerns.
Monitoring account activity
The Admin console reports and logs make it easy to look for potential security risks, measure user collaboration, track who signs in and when, analyze administrator activity, and much more. To monitor logs and alerts, admins can configure notifications when suspicious events occur. The admin can also review reports and logs on a regular basis to examine potential security risks. For example, Looker Studio’s Admin console report can show which files are shared with external domain users. Admins should consider periodically viewing these reports for employees who manage PHI to ensure PHI is not inadvertently shared.
Sharing options
Looker Studio users can control the editing and sharing capabilities of collaborators when sharing Looker Studio assets. We recommend that users avoid putting PHI in titles of such assets.
Admins can set file sharing permissions to the appropriate visibility level for the Workspace or Cloud Identity account. Admins can “Restrict” or “Allow” users to share documents outside the domain. We suggest that you configure file sharing permissions to prevent users who work with PHI from sharing Looker Studio assets outside of your organization.
Technical support services
You must not not provide PHI to Google when accessing Looker Studio technical support services.
Additional resources
Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. To demonstrate our compliance with security standards in the industry, in addition to implementing the Google Cloud Business Associate Agreement, Google has sought and received multiple certifications for Looker Studio..