Last modified: October 30, 2020

Looker Data Sciences Inc. (Looker) supports Health Insurance Portability and Accountability Act (HIPAA) compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance, including when using the Looker Services.

Covered Services

The Google Cloud Business Associate Agreement (BAA) covers Looker’s Services and Professional Services (if any) under a Looker-hosted deployment as described in the applicable services agreement, except that the following are not covered by the Google Cloud Business Associate Agreement (the Excluded Services):

It is your responsibility (i) to configure the Looker software and manage access to PHI using the Services in such a way that complies with the BAA (including this implementation guide) and (ii) to manage the risk of using any Excluded Services in compliance with your obligations under HIPAA.

Customer General Responsibilities

You, as the customer, are responsible for ensuring that the environment and applications that you connect to the Services and that you rely on when using the Services are properly configured and secured according to HIPAA requirements. This is often referred to as the shared security model.

Your Security Responsibilities

The following are essential best practices for you to follow when using Looker Services with Protected Health Information (PHI) :

Customer’s Database Security Controls

In order to use the Services, a customer must authorize the Services to access its databases. When granting authorization, each customer shall follow the principle of granting the least privilege to its database information.

When configuring database security controls, each customer will: