Last modified: October 30, 2020
Looker Data Sciences Inc. (Looker) supports Health Insurance Portability and Accountability Act (HIPAA) compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance, including when using the Looker Services.
The Google Cloud Business Associate Agreement (BAA) covers Looker’s Services and Professional Services (if any) under a Looker-hosted deployment as described in the applicable services agreement, except that the following are not covered by the Google Cloud Business Associate Agreement (the Excluded Services):
- Any email notification service
- Any support services provided via chat (within the application or otherwise)
- Any service that personalizes messages
- Any data integration or ETL tool
- Any API Integration tool that is not secure
- Any Unaffiliated Infrastructure Provider or other third party hosting provider
- Any Services that are not generally available such as beta features and previews
- Any Services provided by the third party entities listed at the following link: https://looker.com/trust-center/privacy/google-cma-subprocessors
It is your responsibility (i) to configure the Looker software and manage access to PHI using the Services in such a way that complies with the BAA (including this implementation guide) and (ii) to manage the risk of using any Excluded Services in compliance with your obligations under HIPAA.
Customer General Responsibilities
You, as the customer, are responsible for ensuring that the environment and applications that you connect to the Services and that you rely on when using the Services are properly configured and secured according to HIPAA requirements. This is often referred to as the shared security model.
Your Security Responsibilities
The following are essential best practices for you to follow when using Looker Services with Protected Health Information (PHI) :
- Execute a Google Cloud BAA. You can request a BAA directly from your account manager.
- Disable or otherwise ensure that you do not use Services that are not covered by the BAA when working with PHI. To ensure that Services not covered by the BAA are deactivated, you must confirm that Excluded Services are turned off.
You are responsible for securing, and Looker takes no responsibility for any breach that results from, the following:
- Your environment.
- Your databases.
- Your configuration of the Services, including limiting the users’ ability to download a report that includes PHI.
- your configuration of access permissions and security controls for users and third-parties you engage to use the Looker Services. For example, you must deauthorize personnel who no longer need access to the Services in a timely manner.
When configuring the Services, you will:
- use the “access filter” parameter in conjunction with user attributes to apply row, column, or field level data security by user or user group.
- limit administrator, developer, and SQL runner access privileges.
- log access to PHI from individuals that use authentication protocols to view the contents of your Looker instance, including access provided to Looker’s support team.
- set up any API usage between Looker and your vendor in a secure way.
- not share PHI via the Services or instructing Looker to share PHI via the Services, including API, with a third-party unless a BAA is in place with the third-party.
- manage use of the Services such that sharing PHI via email requires the recipient to click on a link within the email message, which redirects to a Looker instance in order to log into the Services for viewing the PHI/content.
- not allow PHI to be sent or attached via support chat.
- restrict the permission to create public links.
- create and maintain logs when you permit a third party to use aggregated PHI.
- implement industry-standard methods of authenticating users such as two-factor authentication or SAML-supported SSO iDP, and to the extent a customer uses SSO, restrict the “login_special_email” permission to a maximum of 2 users.
- Apply data set security within the Looker model.
- At least quarterly, perform an audit on all users, groups, permissions, roles, API keys, public links, and additional access controls, sharing, and security configuration.
Customer’s Database Security Controls
In order to use the Services, a customer must authorize the Services to access its databases. When granting authorization, each customer shall follow the principle of granting the least privilege to its database information.
When configuring database security controls, each customer will:
- ensure that all connections to the database are encrypted in transit, and if using an SSH tunnel connection, that a tunnel server is employed.
- Allowlist external access to permit only Looker specific IP addresses.
- configure the database access to ensure Looker does not have any write or administrative access to the Covered entity’s databases.