Firestore and HIPAA compliance

[Colin McDonnell]

Hi all,

I see that Cloud Firestore is now part of the standard Google Cloud BAA: https://cloud.google.com/security/compliance/hipaa-compliance/. This is excellent news!

But it doesn't look like any other Firebase services are covered. So practically speaking, can we use Firestore if Firebase Auth isn't also covered? Would be just do all database reads/writes from an admin account and handle authorization/authentication separately, as with a transitional backend?

Colin

[Kato Richardson]

Hi Colin,

Several products are covered. Compliances are covered here: https://firebase.google.com/support/privacy/

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/fad3d580-3c2c-45d6-a358-56ea090e49e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Colin McDonnell]

Hi Kato,

Thanks for the link. I'm a little concerned though since that page doesn't mention HIPAA at all. On the official list of services covered by the BAA, only Firestore is listed. I signed a standard BAA a couple months ago. You're confident Firebase Auth is covered under it? If so that's amazing.

Colin

[Kato Richardson]

Hi Colin,

I see Cloud Functions, Cloud Firestore, and Cloud Storage. I don't see Auth on that list unfortunately.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/876b2d62-dd48-452f-a223-9e719811bbfa%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luke Pighetti]

Is there any way for Google to write up a basic HIPAA with Firebase FAQ? We can see that Cloud Functions, Cloud Firestore, and Cloud Storage are HIPAA, but it becomes unclear if that means Firebase cannot be used because Auth/FCM/etc is not HIPAA. I am not sure if Auth/FCM need to be HIPAA or not because they aren't really transmitting or storing data from the patient to a health care provider.

To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/876b2d62-dd48-452f-a223-9e719811bbfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kato Richardson]

Hi Luke,

(Some context for others who find this thread: our FAQ on privacy and compliances is here: https://firebase.google.com/support/privacy/. You'll note that HIPAA isn't mentioned there, since Firebase doesn't support HIPAA compliant apps for any of our non-GCP products. The GCP supported products that support compliance are listed here: https://cloud.google.com/security/compliancehipaa/)

The safest and probably best answer here is that if we don't list a product as supporting HIPAA compliance then you probably shouldn't use it. All GCP projects that support HIPAA according to the Cloud terms are safe to use, even in Firebase. Keep in mind that you may need to opt out of Analytics if you find it's not meeting your compliance requirements.

Determining compliance is a tricky business and very specific to your app, business, and locale. This is true even for the GCP products that support HIPAA. Note that supporting is not the same as providing compliance. A lot here depends on what you store, how you store it, and how you share it between devices. You should run any plan to use Firebase past your legal advisors.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/bbc976a5-4eff-4bfb-9300-cac3f9f40df0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jeremy Whiteley]

I would assume Firebase Auth is HIPAA compliant since it’s part of Firestore.

[Kato Richardson]

Firebase Auth would be covered here:  https://cloud.google.com/security/compliancehipaa/

It's not part of Firestore. Those are separate products.

On Wed, May 22, 2019 at 7:54 AM Jeremy Whiteley <jeremy....@gmail.com> wrote:

I would assume Firebase Auth is HIPAA compliant since it’s part of Firestore.   

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/8510a778-9a7f-4b9f-a559-d2dd3e288811%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jeremy Whiteley]

How would someone use Firestore in a healthcare solution then? This is really disappointing, but thank you for the clarification.

[John Rodkey]

Cloud Firestore is covered under the HIPAA compliance 

https://cloud.google.com/security/compliance/hipaa/

On Wed, May 22, 2019 at 12:41 PM Jeremy Whiteley <jer...@medtexter.com> wrote:

How would someone use Firestore in a healthcare solution then?  This is really disappointing, but thank you for the clarification. 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9c620c1c-23dc-4fd1-80ea-71c3b60684de%40googlegroups.com.

[Jeremy Whiteley]

Yes, John Firestore is covered by HIPAA, but they are saying Firebase Auth is not covered by HIPAA.

[Len Boyette]

IANAL, but two potential ways:

1. Use Firestore in Datastore mode. It has several tradeoffs because it's effectively a different product.
2. Prevent all reads/writes via rules. Use Google IAM or a HIPAA-compliant identity provider like Okta (note: I'm an Okta alum) to handle authentication. Proxy all requests through a server or a Cloud Function (not Cloud Functions for Firebase) to validate the auth token and access Firestore via the admin sdk.

Either way, you'll lose realtime reads and a lot of Firestore's convenience.

[Hajji Daoud]

To avoid this mess, I simply encrypt all patient information and decrypt it on the device. Question, where does one sign a BAA

[Jeremy Whiteley]

That isn't going to meet HIPAA.   The AUTH part is the issue.   You need to contact your Account Manger to sign a BAA.   

Google came out with a fix for HIPAA issues.   You can now use Google Identity Platform instead of Firebase AUTH.  It does cost some money, but it's very inexpensive    https://cloud.google.com/identity-platform/

[jo...@nowims.com]

I wanted to circle back on this. You can use Google Cloud Identity to be compliant with HIPAA.  And, Cloud Identity works with the Firebase Auth SDK.

[santh...@gmail.com]

From going through the quick start tutorial here https://cloud.google.com/identity-platform/docs/quickstart-email-password

It looks to be the case. As long as you are using Google Cloud Identify api key and authDomain, where users are stored, then it's covered under BAA. Let me know if I'm understanding this correctly.