Firestore and HIPAA compliance

7,706 views
Skip to first unread message

Colin McDonnell

unread,
Mar 4, 2019, 12:26:22 AM3/4/19
to Firebase Google Group
Hi all,

I see that Cloud Firestore is now part of the standard Google Cloud BAA: https://cloud.google.com/security/compliance/hipaa-compliance/. This is excellent news!

But it doesn't look like any other Firebase services are covered. So practically speaking, can we use Firestore if Firebase Auth isn't also covered? Would be just do all database reads/writes from an admin account and handle authorization/authentication separately, as with a transitional backend?

Colin

Kato Richardson

unread,
Mar 4, 2019, 10:06:02 AM3/4/19
to Firebase Google Group
Hi Colin,

Several products are covered. Compliances are covered here: https://firebase.google.com/support/privacy/

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/fad3d580-3c2c-45d6-a358-56ea090e49e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Colin McDonnell

unread,
Mar 4, 2019, 11:00:09 PM3/4/19
to Firebase Google Group
Hi Kato,

Thanks for the link. I'm a little concerned though since that page doesn't mention HIPAA at all. On the official list of services covered by the BAA, only Firestore is listed. I signed a standard BAA a couple months ago. You're confident Firebase Auth is covered under it? If so that's amazing.

Colin

Kato Richardson

unread,
Mar 5, 2019, 10:23:31 AM3/5/19
to Firebase Google Group
Hi Colin,

I see Cloud Functions, Cloud Firestore, and Cloud Storage. I don't see Auth on that list unfortunately.

☼, Kato


For more options, visit https://groups.google.com/d/optout.

Luke Pighetti

unread,
May 2, 2019, 12:36:58 PM5/2/19
to Firebase Google Group
Is there any way for Google to write up a basic HIPAA with Firebase FAQ? We can see that Cloud Functions, Cloud Firestore, and Cloud Storage are HIPAA, but it becomes unclear if that means Firebase cannot be used because Auth/FCM/etc is not HIPAA. I am not sure if Auth/FCM need to be HIPAA or not because they aren't really transmitting or storing data from the patient to a health care provider.
To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/876b2d62-dd48-452f-a223-9e719811bbfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Kato Richardson

unread,
May 6, 2019, 4:59:30 PM5/6/19
to Firebase Google Group
Hi Luke,

(Some context for others who find this thread: our FAQ on privacy and compliances is here: https://firebase.google.com/support/privacy/. You'll note that HIPAA isn't mentioned there, since Firebase doesn't support HIPAA compliant apps for any of our non-GCP products. The GCP supported products that support compliance are listed here: https://cloud.google.com/security/compliancehipaa/)

The safest and probably best answer here is that if we don't list a product as supporting HIPAA compliance then you probably shouldn't use it. All GCP projects that support HIPAA according to the Cloud terms are safe to use, even in Firebase. Keep in mind that you may need to opt out of Analytics if you find it's not meeting your compliance requirements.

Determining compliance is a tricky business and very specific to your app, business, and locale. This is true even for the GCP products that support HIPAA. Note that supporting is not the same as providing compliance. A lot here depends on what you store, how you store it, and how you share it between devices. You should run any plan to use Firebase past your legal advisors.

☼, Kato




For more options, visit https://groups.google.com/d/optout.

Jeremy Whiteley

unread,
May 22, 2019, 10:54:11 AM5/22/19
to Firebase Google Group
I would assume Firebase Auth is HIPAA compliant since it’s part of Firestore.

Kato Richardson

unread,
May 22, 2019, 11:40:40 AM5/22/19
to Firebase Google Group
Firebase Auth would be covered here:  https://cloud.google.com/security/compliancehipaa/

It's not part of Firestore. Those are separate products.

On Wed, May 22, 2019 at 7:54 AM Jeremy Whiteley <jeremy....@gmail.com> wrote:
I would assume Firebase Auth is HIPAA compliant since it’s part of Firestore.   

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Jeremy Whiteley

unread,
May 22, 2019, 1:42:00 PM5/22/19
to Firebase Google Group
How would someone use Firestore in a healthcare solution then? This is really disappointing, but thank you for the clarification.

John Rodkey

unread,
May 22, 2019, 1:45:49 PM5/22/19
to fireba...@googlegroups.com
Cloud Firestore is covered under the HIPAA compliance 

On Wed, May 22, 2019 at 12:41 PM Jeremy Whiteley <jer...@medtexter.com> wrote:
How would someone use Firestore in a healthcare solution then?  This is really disappointing, but thank you for the clarification. 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

Jeremy Whiteley

unread,
May 22, 2019, 11:05:17 PM5/22/19
to Firebase Google Group
Yes, John Firestore is covered by HIPAA, but they are saying Firebase Auth is not covered by HIPAA.

Len Boyette

unread,
Jun 13, 2019, 10:57:41 AM6/13/19
to Firebase Google Group
IANAL, but two potential ways:
  1. Use Firestore in Datastore mode. It has several tradeoffs because it's effectively a different product.
  2. Prevent all reads/writes via rules. Use Google IAM or a HIPAA-compliant identity provider like Okta (note: I'm an Okta alum) to handle authentication. Proxy all requests through a server or a Cloud Function (not Cloud Functions for Firebase) to validate the auth token and access Firestore via the admin sdk.
Either way, you'll lose realtime reads and a lot of Firestore's convenience.

Hajji Daoud

unread,
Jun 17, 2019, 9:47:54 PM6/17/19
to Firebase Google Group
To avoid this mess, I simply encrypt all patient information and decrypt it on the device. Question, where does one sign a BAA

Jeremy Whiteley

unread,
Jun 21, 2019, 7:17:41 PM6/21/19
to Firebase Google Group
That isn't going to meet HIPAA.   The AUTH part is the issue.   You need to contact your Account Manger to sign a BAA.   

Google came out with a fix for HIPAA issues.   You can now use Google Identity Platform instead of Firebase AUTH.  It does cost some money, but it's very inexpensive    https://cloud.google.com/identity-platform/

jo...@nowims.com

unread,
Sep 18, 2020, 11:31:16 AM9/18/20
to Firebase Google Group
I wanted to circle back on this. You can use Google Cloud Identity to be compliant with HIPAA.  And, Cloud Identity works with the Firebase Auth SDK.

santh...@gmail.com

unread,
Feb 19, 2021, 5:36:47 AM2/19/21
to Firebase Google Group
From going through the quick start tutorial here https://cloud.google.com/identity-platform/docs/quickstart-email-password

It looks to be the case. As long as you are using Google Cloud Identify api key and authDomain, where users are stored, then it's covered under BAA. Let me know if I'm understanding this correctly. 

Reply all
Reply to author
Forward
0 new messages