Google Cloud Run HIPAA Compliance Guide: Eligibility, BAA, and Step-by-Step Setup Checklist

Google Cloud Run HIPAA Eligibility

This Google Cloud Run HIPAA Compliance Guide explains when Cloud Run can handle Protected Health Information (PHI), how the Business Associate Agreement (BAA) fits in, and a practical step-by-step setup checklist. HIPAA uses a shared-responsibility model: Google secures the platform, and you configure and operate services to meet your obligations.

Conditions for HIPAA eligibility

• A signed BAA with Google that covers your Google Cloud organization and the services you intend to use.
• Architecture restricts PHI to HIPAA-eligible services and regions you have approved for PHI processing and storage.
• Cloud Run services require authentication, limit ingress, and avoid writing PHI to logs, traces, or error messages.
• Strong Identity and Access Management (IAM) and Role-Based Access Control (RBAC) with least privilege and separation of duties.
• Encryption in transit and Data Encryption at Rest, with Customer-Managed Encryption Keys (CMEK) where policy requires.
• Comprehensive audit trails, monitoring, alerting, and an exercised Incident Response Plan.

Step-by-Step Setup Checklist

1. Confirm PHI data flows and classify data; limit PHI to the minimum necessary for each workload.
2. Execute an organization-level BAA with Google; record covered services, projects, and permitted uses/disclosures.
3. Create a dedicated organization/folder structure; separate production from dev/test to prevent PHI sprawl.
4. Set organization policies: restrict resource locations, require uniform bucket-level access, and enforce CMEK where mandated.
5. Harden container images (minimal base, non-root user, SBOM, vulnerability scanning) before deploying to Cloud Run.
6. Store images in Artifact Registry; enable vulnerability scanning and limit who can read or deploy artifacts.
7. Provision Cloud KMS key rings for CMEK; define key rotation, access approvals, and break-glass procedures.
8. Manage configuration and secrets with an eligible secret store; remove plaintext secrets from code and environment variables.
9. Create dedicated service accounts per service; assign only required IAM roles; avoid long-lived keys via Workload Identity.
10. Deploy Cloud Run with authentication required and restricted ingress (for example, internal and load-balanced only).
11. Use a Serverless VPC Access connector to route egress to private resources; control outbound traffic with firewall and NAT.
12. Front public endpoints with HTTPS load balancing; enforce TLS 1.2+ and add web application firewall rules as needed.
13. Select HIPAA-eligible data stores for PHI and enable CMEK and retention controls consistent with policy.
14. Enable Admin Activity and Data Access audit logs; keep PHI out of application logs; use structured logging with redaction.
15. Create log sinks to dedicated log buckets or analytics stores; protect them with IAM and CMEK.
16. Define SLOs, health checks, and alerting; wire log-based metrics to on-call paging for security and availability events.
17. Document access reviews, key ceremonies, change control, and deploy approvals; test restoration and disaster recovery.
18. Run tabletop exercises for your Incident Response Plan; refine breach triage, containment, and notification playbooks.

Business Associate Agreement Requirements

The BAA defines responsibilities for handling PHI between you (a covered entity or business associate) and Google. It specifies which services are covered, permitted uses, safeguards, breach notification processes, and your obligations to configure and operate controls correctly.

To operationalize the BAA: scope which projects and services will store, process, or transmit PHI; restrict data to those services; document data locations; and ensure vendors, integrators, or subprocessors who touch PHI also have appropriate agreements. Keep an auditable record of approvals and periodic reviews.

Practical tips

• Centralize BAA records and map each Cloud Run service that processes PHI to a specific legal basis and data flow.
• Institute change-management so new dependencies (e.g., analytics, third-party add-ons) cannot receive PHI without review.
• Train engineering and support teams on PHI handling, redaction, and secure troubleshooting procedures.

Data Security Measures

Strong data security starts with minimizing PHI and isolating it. Use dedicated projects and networks for PHI workloads, and ensure only HIPAA-eligible components participate in PHI flows. Keep temporary data stores, caches, and queues within that boundary.

Application and runtime safeguards

• Input validation and output encoding to prevent injection; treat all inputs as untrusted.
• Never log PHI; implement redaction, sampling, and structured logs to keep sensitive fields out of audit trails.
• Use short-lived tokens for service-to-service calls; prefer OAuth/OIDC identity tokens over static keys.

Secrets and configuration

• Store credentials in a managed secret service; grant access only to the Cloud Run service account.
• Automate rotation of database and API credentials; alert on failed rotations and excessive secret reads.
• Block container exec/shell in production; use secure CI/CD with policy checks and deployment approvals.

Access Control Implementation

Implement RBAC through IAM with least privilege and clear separation of duties. Distinguish administrative access to Cloud Run from runtime access to PHI within your application and data stores.

IAM and RBAC patterns

• Assign narrow roles (for example, invoker vs. admin) to service accounts and human identities; prefer groups over individuals.
• Use IAM Conditions to restrict access by environment, resource path, or time; require multi-factor authentication for admins.
• Adopt just-in-time elevation for sensitive roles; record approvals and create immutable audit trails.

Service-to-service and end-user access

• Require authentication on Cloud Run; use signed identity tokens for inter-service calls and enforce audience checks.
• Restrict ingress (internal and load-balanced) and pair with network controls to eliminate unintended exposure.
• Use context-aware access for workforce SSO and strong session policies; promptly revoke access for role changes.

Audit Logging Practices

HIPAA expects you to know who accessed PHI, when, and from where. Build layered audit trails that correlate admin changes, data access, and application events across Cloud Run and downstream services.

What to capture

• Admin Activity logs for configuration changes, deployments, and IAM policy updates.
• Data Access logs for read/write operations against PHI-bearing resources, plus application access events.
• Security events such as denied requests, authentication failures, and policy violations.

Retention, protection, and review

• Store logs in dedicated buckets with CMEK; restrict access to an audit role separate from admins and developers.
• Set retention per policy and legal guidance; implement immutability or holds for investigations.
• Create log-based metrics and scheduled reviews; alert on anomalies like mass exports or privilege changes.

Encryption Standards

Encrypt data in transit and at rest to reduce breach impact and meet HIPAA’s technical safeguard expectations. Use modern cipher suites, disable legacy protocols, and monitor for configuration drift.

In transit

• Terminate HTTPS with TLS 1.2+; enable HSTS on public endpoints; consider mutual TLS for sensitive internal calls.
• Use signed identity tokens over TLS for service-to-service authentication; validate audiences and issuers.

At rest and key management

• Rely on platform encryption for all storage; add CMEK where policy requires customer-held keys.
• Operate Cloud KMS with separation of duties; log key usage; rotate keys; define break-glass and key-recovery procedures.
• Prevent PHI caching on developer machines; encrypt backups and exports with the same standards as primaries.

Monitoring and Incident Response

Continuous monitoring closes the loop between controls and outcomes. Instrument Cloud Run services with metrics, traces, and structured logs, and connect them to on-call workflows with clear SLOs.

Operational monitoring

• Track latency, error rates, saturation, and throughput; alert on SLO breaches and dependency failures.
• Create security alerts for unusual authentication patterns, configuration drift, or spikes in denied requests.
• Run synthetic health checks and end-to-end data-path tests that exercise auth and authorization.

Incident Response Plan

• Define triage, containment, eradication, recovery, and post-incident steps; include PHI-specific playbooks.
• Pre-arrange roles (incident commander, comms, legal, privacy); maintain contact trees and notification templates.
• Practice with tabletop exercises; document lessons learned; update controls, runbooks, and training.

Conclusion

Cloud Run can support HIPAA-regulated workloads when you pair a signed BAA with disciplined architecture and operations. Enforce IAM and RBAC, keep PHI within eligible services, encrypt everywhere, maintain audit trails, and back it all with rigorous monitoring and an exercised Incident Response Plan.

FAQs.

What conditions make Google Cloud Run HIPAA eligible?

Cloud Run is HIPAA eligible when you have a signed BAA with Google, process PHI only within HIPAA-eligible services, and implement required safeguards: authenticated ingress, least-privilege IAM and RBAC, encryption in transit and at rest, comprehensive audit trails, and active monitoring with an Incident Response Plan.

How do I sign a BAA with Google for Cloud Run?

Work with your organization’s Google Cloud account owner and legal team to execute a Google Cloud BAA that covers your org. The agreement should list covered services and outline safeguards, breach notifications, and your responsibilities. Once signed, restrict PHI handling to services and projects within that BAA’s scope.

What are the key steps in setting up HIPAA compliant Cloud Run services?

Follow the setup checklist: map PHI data flows, sign the BAA, isolate PHI projects and networks, harden images, require authentication and restricted ingress, route egress through private paths, use managed secrets and CMEK, enable Admin and Data Access logs, create log sinks and alerts, define SLOs, and exercise your Incident Response Plan.

How is audit logging managed for HIPAA compliance in Cloud Run?

Enable Admin Activity and Data Access logs for Cloud Run and dependent services, use structured application logs without PHI, export logs to protected buckets or analytics stores with CMEK, enforce strict IAM on logs, set policy-based retention, and create log-based metrics and alerts to detect anomalous access or configuration changes.