Last modified: February 16, 2021

Previous Versions

Looker Data Sciences Inc. (Looker) supports Health Insurance Portability and Accountability Act (HIPAA) compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance, including when using the Looker Services.

Covered Services

The Business Associate Agreement (BAA) covers Looker’s Services and Professional Services (if any) under a Looker-hosted deployment as described in the applicable services agreement to which the BAA is attached, except that the following are not covered by the BAA (the Excluded Services):

It is your responsibility (i) to configure the Looker software and manage access to PHI using the Services in such a way that complies with the BAA (including this implementation guide) and (ii) to manage the risk of using any Excluded Services in compliance with your obligations under HIPAA.

Customer General Responsibilities

You, as the customer, are responsible for ensuring that the environment and applications that you connect to the Services and that you rely on when using the Services are properly configured and secured according to HIPAA requirements. This is often referred to as the shared security model.

Your Security Responsibilities

Essential best practices:

Recommended technical best practices when configuring the Services

Customer’s Database Security Controls

In order to use the Services, a customer must authorize the Services to access its databases. When granting authorization, each customer shall follow the principle of granting the least privilege to its database information.

When configuring database security controls, each customer will:

Previous Versions

Oct 2020