GCP HIPAA Compliance: How to Meet HIPAA Requirements on Google Cloud

HIPAA Compliance on Google Cloud

What HIPAA requires in the cloud

HIPAA requires administrative, physical, and technical safeguards for electronic protected health information (ePHI). On Google Cloud, you translate those safeguards into cloud controls: identity and access, network security, encryption, monitoring, backup, and documented processes for risk analysis and incident response.

Business Associate Agreement

Before storing or processing ePHI, you must execute a Business Associate Agreement with Google Cloud. The BAA defines permitted uses of ePHI, security obligations, breach notification, and subcontractor terms. Only use HIPAA-Eligible Services for ePHI once the BAA is in place and understood by your legal, security, and engineering teams.

Data segregation and location

Create dedicated folders, projects, and networks for ePHI to minimize blast radius and simplify audits. Enforce Data Residency Restrictions by selecting appropriate regions, applying resource location org policies, and validating that backups, logs, and analytics stores remain in approved locations.

Implementation checklist

• Sign and retain the BAA; scope exactly which workloads handle ePHI.
• Restrict projects to HIPAA-Eligible Services and disable unapproved APIs.
• Enforce least privilege with IAM, service accounts, and conditional policies.
• Enable Audit Logging, monitoring, and alerting across org, folder, and project.
• Apply encryption strategy (CMEK/HSM/External) and document key stewardship.
• Harden networks (private access, egress controls, VPC Service Controls) and validate residency.

HIPAA-Eligible Services

Use an allowlist approach

Treat the HIPAA-Eligible Services catalog as your allowlist. Using services outside that list for ePHI may violate the BAA. Commonly used categories include compute (Compute Engine, GKE, Cloud Run), storage (Cloud Storage, Persistent Disk, Filestore), databases and analytics (Cloud SQL, AlloyDB, BigQuery), data integration (Pub/Sub, Dataflow), healthcare tooling (Cloud Healthcare API), security (Cloud Key Management Service, Secret Manager), and observability (Cloud Logging, Cloud Monitoring).

How to confirm eligibility

• Verify that a service—and the specific features you intend to use—are marked as HIPAA-Eligible Services.
• Prefer Generally Available features for ePHI; gate or disallow preview/beta features.
• Document service scope in your system security plan and align it with the BAA.

Operational guardrails

• Create organization policies that deny non-eligible services in ePHI projects.
• Use labels and folders to separate ePHI from non-ePHI workloads.
• Continuously review new releases to avoid drift from your eligibility allowlist.

Assured Workloads for HIPAA

What it is

Assured Workloads for HIPAA provides prescriptive guardrails that help you apply HIPAA-aligned controls at scale. It automates project scaffolding, enforces residency and service restrictions, and applies organization policies aligned to healthcare compliance needs.

Controls it enforces

• Data Residency Restrictions that constrain where regulated data can reside.
• Allow/deny lists for services and APIs to keep you on HIPAA-Eligible Services.
• Preconfigured organization policies (for example, external IPs, serial port, and OS login restrictions).
• Baseline logging requirements and security settings you can extend with your standards.
• Integration with network isolation patterns such as VPC Service Controls.

Adoption tips

• Create an Assured Workloads environment dedicated to HIPAA workloads and select the appropriate regions.
• Use separate folders, networks, and billing to contain ePHI and simplify audits.
• Pair Assured Workloads with strong key management, IAM, and change control.

Encryption and Key Management

Encryption by default, then customer control

Data is encrypted at rest and in transit by default on Google Cloud. For regulated workloads, elevate control by using customer-managed encryption keys (CMEK) and, when required, external key management to meet policy or contractual obligations.

Cloud Key Management Service

Cloud Key Management Service lets you centrally create, rotate, disable, and destroy keys, with audit trails and role-based controls. Options include software-backed keys, Cloud HSM for hardware protection, and External Key Manager for hold-your-own-key patterns that keep key material outside Google’s infrastructure.

Design patterns for HIPAA

• Use CMEK for data stores such as BigQuery, Cloud Storage, and databases handling ePHI.
• Apply separation of duties: different teams manage keys, data, and deployment.
• Automate rotation and enforce just-in-time key permissions with break-glass approval.
• Log all key operations and monitor for anomalous decrypt or rewrap activity.

Shared Responsibility Model

What Google secures

Google secures the cloud: physical facilities, hardware, global network, foundational services, default encryption, and platform patching. These controls are independently assessed and supported by Compliance Certifications you can reference during audits.

What you secure

You secure what you build in the cloud: identity and access, network topology, workload hardening, key usage, logging, backup, and incident response. You also perform risk analysis, employee training, vendor management, and documentation required by HIPAA.

Where responsibilities meet

• Guest OS and container images: you patch and scan; Google secures the underlying hosts.
• Encryption: Google provides mechanisms; you choose CMEK/HSM/EKM and control access.
• Monitoring: platform emits signals; you configure Audit Logging, detection, and response.

Compliance Certifications

Using attestations to support HIPAA

Compliance Certifications such as SOC 2/3, ISO/IEC 27001/27017/27018, HITRUST CSF, and others provide third‑party assurance over Google’s controls. Use these reports to inform vendor due diligence, map inherited controls, and strengthen your HIPAA risk analysis and documentation.

Key practices

• Collect current reports for the services you use and note any scoped exclusions.
• Map certified controls to your HIPAA safeguards and identify customer-owned gaps.
• Incorporate report findings into policies, procedures, and audit evidence.

Logging and Monitoring

Audit-ready visibility

Effective oversight is essential for HIPAA. Enable Audit Logging organization‑wide: Admin Activity, Data Access for sensitive resources, and System Event logs. Pair logs with Cloud Monitoring alerts to detect anomalous IAM changes, unexpected network egress, or unusual data access.

Security telemetry to collect

• Cloud Audit Logs, VPC Flow Logs, firewall and load balancer logs, and DNS logs.
• Access Transparency and Access Approval signals for oversight of support access.
• Asset inventory and configuration drift to catch policy violations early.

Retention, routing, and hygiene

• Export logs to BigQuery for analytics, Cloud Storage for long‑term retention, and Pub/Sub for SIEM.
• Set bucket retention policies and, where appropriate, retention locks to meet recordkeeping needs.
• Avoid placing PHI in application logs; sanitize inputs and minimize data fields.

Summary

To achieve GCP HIPAA compliance, execute the BAA, constrain workloads to HIPAA-Eligible Services, enforce Data Residency Restrictions, apply strong encryption with Cloud Key Management Service, operate under a clear Shared Responsibility Model, rely on relevant Compliance Certifications, and maintain robust Audit Logging with responsive monitoring.

FAQs

What Google Cloud services are HIPAA eligible?

Google publishes a catalog of HIPAA-Eligible Services. Common examples include Compute Engine, Google Kubernetes Engine, Cloud Run, Cloud Storage, BigQuery, Cloud SQL, Pub/Sub, Dataflow, Secret Manager, Cloud Logging, Cloud Monitoring, and Cloud Healthcare API. Always verify eligibility for the exact service and feature set you plan to use and restrict ePHI projects to that allowlist.

How does Google Cloud support encryption for HIPAA compliance?

Data is encrypted at rest and in transit by default. You can strengthen control with CMEK backed by Cloud Key Management Service, store keys in Cloud HSM, or use an External Key Manager to keep keys outside Google infrastructure. Apply fine‑grained IAM for key use, automate rotation, and monitor key activity to meet policy and audit expectations.

What is the Shared Responsibility Model in GCP HIPAA compliance?

The Shared Responsibility Model means Google secures the cloud (facilities, hardware, foundational services, default encryption), while you secure what you deploy in the cloud (identity, network, workload hardening, key usage, logging, backups, and incident response). Many controls are shared: Google provides mechanisms; you configure, monitor, and document them to satisfy HIPAA.

How does Assured Workloads help meet HIPAA requirements?

Assured Workloads for HIPAA applies guardrails that enforce residency, restrict services to HIPAA-Eligible options, and codify organization policies aligned with healthcare needs. It accelerates compliant-by-design environments, reduces misconfiguration risk, and complements your encryption, IAM, monitoring, and documentation practices required under HIPAA.