Business associate agreements between technology vendors and their payer, provider and clearinghouse partners establish how a BAA works with these HIPAA-regulated entities. The contract also underscores how a BAA can — and cannot — use an entity’s protected health information (PHI) through the course of their work.

As a frequent business associate of covered entities, Google is bound by the terms of the BAA for its Google Cloud Platform. “The BAA says Google is held to the same level of accountability that I am as a covered entity and healthcare provider when it comes to managing PHI,” says Spencer Cuffe, a chief architect at CDW who defined the company’s Google Cloud strategy. “It also says that anyone brought on to handle that information is held to the same accountability.”

As is the case with other enterprises, the terms of Google’s BAA apply to any products, services or features considered a “covered service” under the agreement. Increasingly, that includes the use of generative artificial intelligence (AI) tools.

DISCOVER: CDW and Google bridge the gap from AI hype to ROI.