Creating a HIPPA Compliant GSuite Accessible Only App-- Billing, HIPAA, & Access Questions

[Anna Nevison]

Hi everyone, 

Thanks to some friendly individuals on the App Maker forum.. I believe I have found the right place to post this now lol.

A bit of background, I created an app for an organization that I initially thought would only run locally and I used the firebase api to input information from it into a database. The organization now wants me to move the app to Google Cloud so members of their G Suite can use it and they need the database changed to a SQL one so it can be HIPAA compliant (I did not realize the app would be storing what was considered sensitive patient info when I first coded it and Firebase is not HIPAA compliant)

I am a bit over my head here because I have never created a HIPAA compliant Google App that would be, theoretically, only accessible by members of the organization's GSuite... and I am finding that the documentation on how to do so is super confusing..  So I have a few questions that I would be really grateful if any developer who has been hired in as a temporary contractor for an org to create a Google App could answer... or anyone who has developed a Google App that was HIPAA compliant.. or anyone who has developed an app that was only accessible to members of a GSuite..  

For those who have developed apps for organizations as temporary contractors.. What do I need to know about transferring the app to the admin owner once the project is completed? They have added me to their suite, but I will be removed once I am done with the project.. Is it easy to transfer the admin rights of an app so I can be off boarded from the suite and they can still have the app running? Additionally, regarding setting up billing, I am wondering what is the best way to set up the app's cloud SQL instance in the Google App engine. After reading the docs about this, I had the admin for the organization set up a default Cloud SQL instance. However, when I go into my project console under the cloud SQL it says, "You do not have the required permissions to create a Cloud SQL instance. Contact a project administrator to change these settings." I am the project admin so I am assuming this has to do with the little prompt at the top that is telling me to set up billing... Should I be inputting my own billing information? Or should I have the organization do it? And if the latter, how do I have them do that? I know I receive a $300 credit so I am not worried about being billed.. but they are going to eventually have to pay for the database (and they are willing to do so) because it will be making quite a few calls so that credit may not last long.. 

Okay, this one is the one I am most worried about.. HIPAA compliance... I am not even sure how to start tackling that.. I have done quite a bit of research on it and I still do not have clear understanding of what needs to be there and how exactly I should put it there.. Has anyone developed a HIPAA compliant app? If so, I would really appreciate any guidance you could offer me. 

Next is creating a GSuite accessible only app.. I have only ever made public apps so I am not sure how to configure settings so that nobody can find the app unless they are a member of the suite. 

Lastly, is there a way for me to deploy my app locally with the cloud SQL database after it is set up so I can test to see if it is working? I tried deploying my first firebase version of the app on Google App engine and it worked fine.. but I wasn't able to figure out how to edit my source code once it was deployed.. I ended up just deleting the projects and creating new ones every time I went to test a different version. I know that's probably the absolute wrong thing to do, but I am really new to Google App engine.. I created a local posegres SQL database just so I could start adjusting the syntax that I had for the firebase portion of the code.. but it would be nice if I could test it on the actual database that the app will call to. 

Thank you so much in advance for any help you guys can offer me! 

[Khaled Wagdy]

Hi Anna,

That's quite interesting! On the bright side, congrats on making an app that eventually became the focus of the company, good job on that!

I have some experience with G Suite and with Google App Engine development using Python. I have mainly used Google Datastore (which should soon be automatically migrated to Firebase in Datastore mode). Let me try to address some of the points you mentioned..

1. What do I need to know about transferring the app to the admin owner once the project is completed? They have added me to their suite, but I will be removed once I am done with the project
   

1. I would rather have them create a project admin generic account rather than an individual account, and use that to create the project. This way they can use the same account after you are done, they would just need to reset its password. Or if you want to keep the current setup, you can transfer project ownership to another account after you are done. Another option is also to add another user as "owner" to the project from IAM here, more about roles here https://cloud.google.com/iam/docs/understanding-roles
2. When I go into my project console under the cloud SQL it says, "You do not have the required permissions to create a Cloud SQL instance. Contact a project administrator to change these settings." I am the project admin so I am assuming this has to do with the little prompt at the top that is telling me to set up billing..
   You are probably right, as you are creating an instance that is billed, you probably need to enable and setup billing first
   

1. Should I be inputting my own billing information? Or should I have the organization do it? And if the latter, how do I have them do that?
   

1. No! Please do not do that, you are right about your concerns being billed from your credit card and that later it may not be sufficient for an entire organization consumption of the app. Aside to that you probably don't need the headache of being billed then trying to invoice the organization for the paid bills! You ask them politely to add their credit card information in the project billing section https://console.cloud.google.com/billing/ (you may need to choose the project). Again I would setup another owner account for the organization to be able to manage all that stuff.

1. Has anyone developed a HIPAA compliant app? If so, I would really appreciate any guidance you could offer me. 
   

1. I haven't really, but I see this documentation here https://cloud.google.com/security/compliance/hipaa/ which has "Recommended technical best practices" section that may be worth going through as a checklist

1. creating a GSuite accessible only app.. I have only ever made public apps so I am not sure how to configure settings so that nobody can find the app unless they are a member of the suite.
   

1. I am not sure how you are currently managing authentication in your app, but I believe G suite authentication for a specific domain is done from App Engine settings, check this stack overflow question too

1. I tried deploying my first firebase version of the app on Google App engine and it worked fine.. but I wasn't able to figure out how to edit my source code once it was deployed.. I ended up just deleting the projects and creating new ones every time I went to test a different version. I know that's probably the absolute wrong thing to do, but I am really new to Google App engine
   

1. No no no! You don't edit your code on GCP, you edit locally and then deploy. When you deploy to app engine you have full control! you can simply deploy using a gcloud command from the terminal Every time you deploy your code, a new version is created on the GCP project and traffic is migrated to this new version. You can even access old versions, or have two or more versions alive at the same time and you can choose to split traffic between those two or more versions! See... Deploying to App Engine, Splitting traffic,

I hope this helps you a bit, all the best,

Khaled