Google Forms offers security and privacy configurations that could be made to comply with HIPAA regulations. Covered entities can set the access and visibility of folders and files, as well as grant specific collaborators sharing and editing capabilities.
When configuring Google Forms, administrators should set the sharing permissions to manage data visibility and access. Additionally, admins should disable third-party applications that don’t meet HIPAA privacy standards. Software compliance depends on how the software is used, which is why administrators should adjust privacy settings properly before and while using Google Forms to collect and manage patient information. Other possible HIPAA safeguards include encryption to protect sensitive information, user authentication, and audit controls that track information access.
If a covered entity uses Google Forms to collect protected health information (PHI), it must have a business associate agreement (BAA) in place before collecting PHI through this tool. Google may offer a signed business associate agreement (BAA) that covers Google Forms as well as other Google Workspace services such as Gmail, Docs, Sheets, Calendar, and Slides.