G Suite HIPAA Business Associate Amendment

This HIPAA Business Associate Amendment (“HIPAA BAA”) is made and entered into by and between Google Inc. and Customer effective as of the date electronically accepted by Customer and amends the Agreement for the purpose of implementing the requirements of HIPAA to support the parties’ compliance requirements thereunder. The “Agreement” refers to the G Suite, G Suite for Education, or G Suite for Government Agreement entered into between the parties pursuant to which Google Inc. provides Services to Customer. Customer must have an existing Agreement in place for this HIPAA BAA to be valid and effective. Together with the Agreement, this HIPAA BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).

You represent and warrant that: (i) you have full legal authority to bind Customer to this HIPAA BAA, (ii) you have read and understand this HIPAA BAA, and (iii) you agree, on behalf of Customer, to the terms of this HIPAA BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not sign or accept the terms of this HIPAA BAA.

The parties agree as follows:

Definitions

• “ Google ” means Google Inc. and its affiliates that provide the Services.
• “ HIPAA ” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended (including with respect to the HITECH Act).
• “ HIPAA Implementation Guide ” means the informational guide that Google makes available describing how Customer can configure and use the Services to support HIPAA compliance. The HIPAA Implementation Guide is available for review at the following URL: https://gsuite.google.com/terms/2015/1/hipaa_implementation_guide.pdf (as the content at that URL, or such other URL as Google may provide, may be updated by Google from time to time)
• “ HITECH Act ” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
• “ Included Functionality ” means functionality within the Services as described at the following URL: https://gsuite.google.com/terms/2015/1/hipaa_functionality.html (as the content at that URL, or such other URL as Google may provide, may be updated by Google from time to time).
• “ Protected Health Information ” or “ PHI ” will have the meaning given to it under HIPAA if provided to Google as Customer Data in connection with Customer’s permitted use of Included Functionality.
• “ Security Rule ” means 45 C.F.R., Part 164, Subpart C, under HIPAA.
• “ Services ” means the G Suite Core Services as defined under the applicable Agreement.

Applicability

1. Parties . This HIPAA BAA applies to the extent Customer is acting as a Covered Entity or Business Associate, to create, receive, maintain or transmit PHI via the Included Functionality and where Google, as a result, is deemed under HIPAA to be acting as a Business Associate of Customer.
2. Services Scope . As of the effective date of this Amendment, this Amendment is applicable only to the Included Functionality. Google may expand the scope of Included Functionality. If Google expands the scope of Included Functionality then this HIPAA BAA will automatically apply to such additional new functionality and features as of the date the Included Functionality description is updated, or the date Google has otherwise provided written communication regarding an update to the scope of Included Functionality to Customer’s Notification Email Address (whichever date is earlier).

Permitted Use and Disclosure

1. By Google . Google may use and disclose PHI only as permitted under HIPAA as specified in the Agreement and under this HIPAA BAA. Google may also use and disclose PHI for the proper management and administration of Google’s business and to carry out the legal responsibilities of Google, provided that any disclosure of PHI for such purpose may only occur if (1) required by applicable law; or (2) Google obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Google will be notified of any Breach.
2. By Customer . Customer will not request Google or the Services to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity itself (unless otherwise expressly permitted under HIPAA for a Business Associate). In connection with Customer’s management and administration of the Services to End Users, Customer is responsible for using the available controls within the Services to support its HIPAA compliance requirements, including reviewing the HIPAA Implementation Guide and enforcing appropriate controls to support Customer’s HIPAA compliance. Customer will not use the Services to create, receive, maintain or transmit PHI to other Google services outside of the Included Functionality, except where Google has expressly entered into a separate HIPAA business associate agreement for use of such Google services. If Customer uses Included Functionality in connection with PHI, Customer will use controls available within the Services to ensure: (i) all other Google products not part of the Services are disabled for all End Users who use Included Functionality in connection with PHI (except those services where Customer and Google already have an appropriate HIPAA business associate agreement in place); and (ii) it takes appropriate measures to limit its use of PHI in the Services to the minimum extent necessary for Customer to carry out its authorized use of such PHI. Customer agrees that Google has no obligation to protect PHI under this HIPAA BAA to the extent Customer creates, receives, maintains, or transmits such PHI outside of the Included Functionality (including Customer’s use of its offline or on-premise storage tools or third party applications).