Stay organized with collections
Save and categorize content based on your preferences.
HIPAA Compliance with Looker Data Sciences Inc.
Services
Last modified: March 18, 2021
Looker Data Sciences Inc. (Looker) supports Health Insurance Portability and
Accountability Act (HIPAA) compliance (within the scope of a Business Associate
Agreement) but ultimately customers are responsible for evaluating their own HIPAA
compliance, including when using the Looker Services.
Covered Services
The Business Associate Agreement (BAA) covers Looker's Services and Professional
Services (if any) under a Looker-hosted deployment as described in the applicable
services agreement to which the BAA is attached, except that the following are not
covered by the BAA (the Excluded Services):
- Any third party Services provided by an entity other than Looker or a Looker
Affiliate, including any Services provided by the third-party entities listed at
the following link: https://looker.com/trust-center/privacy/google-cma-subprocessors
- Any API Integration tool that is not secure
- Any Services that are not generally available such as beta features and
previews
It is your responsibility (i) to configure the Looker software and manage access
to PHI using the Services in such a way that complies with the BAA (including this
implementation guide) and (ii) to manage the risk of using any Excluded Services
in compliance with your obligations under HIPAA.
Customer General Responsibilities
You, as the customer, are responsible for ensuring that the environment and
applications that you connect to the Services and that you rely on when using the
Services are properly configured and secured according to HIPAA requirements. This
is often referred to as the shared security model.
Your Security Responsibilities
Essential best practices:
- Execute a BAA. You can request a BAA directly from your account manager.
- Disable or otherwise ensure that you do not use Services that are not covered
by the BAA when working with PHI. To ensure that Services not covered by the BAA
are deactivated, you must confirm that Excluded Services
are turned off.
- You are responsible for securing the following and Looker takes no
responsibility for any breach that results from:
- Your environment.
- Your databases.
- Your configuration of the Services, including limiting the users' ability
to download a report that includes PHI.
- Your configuration of access permissions and security controls for users
and third-parties you authorize to use the Looker Services.
Recommended technical best practices when configuring the Services
- Access Controls
- Use the "access filter" parameter in conjunction with user attributes to
apply row, column, or field level data security by user or user group.
- Limit administrator, developer, and SQL runner access privileges.
- Limit support access
or otherwise ensure that support teams cannot access your Instance.
- Sharing
- Set up any API usage between Looker and your vendor in a secure way.
- Do not share PHI via the Services or instruct Looker to share PHI via the
Services (including an API), with a third-party unless a BAA is in place
with the third-party.
- Manage use of the Services such that sharing PHI via email requires the
recipient to click on a link within the email message, which redirects to a
Looker instance in order to log into the Services for viewing the
PHI/content.
- Do not allow PHI to be sent or attached via support chat.
- Configure use of the Services to reduce the amount of time query results
are cached as these results may include PHI.
- Restrict the permissions for creating public links.
- Create and maintain logs when you permit a third party to use aggregated
PHI.
- Secure Configuration
- Implement industry-standard methods of authenticating users such as
two-factor authentication or SAML-supported SSO iDP, and to the extent a
user relies on SSO, restrict the "login_special_email" permission to a
maximum of 2 users.
- Apply data set security within the Looker model.
- At least quarterly, perform an audit on all users, groups, permissions,
roles, API keys, public links, and additional access controls, sharing, and
security configuration.
Customer's Database Security Controls
In order to use the Services, you must authorize the Services to access your
databases. When granting authorization, each customer shall follow the principle
of granting the least privilege to its database information.
When configuring database security controls, you will:
- ensure that all connections to the database are encrypted in transit, and if
using an SSH tunnel connection, that a tunnel server is employed.
- allow list external access to permit only Looker specific IP addresses.
- configure the database access to ensure Looker does not have any write or
administrative access to the databases.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[],[],null,["# HIPAA Compliance with Looker Data Sciences Inc. Services\n\n- [Back to Google Cloud Terms Directory](/product-terms)\n- \n- Current\n\nHIPAA Compliance with Looker Data Sciences Inc.\nServices\n========================================================\n\nLast modified: March 18, 2021\n| This is not the current version of this document and is provided for archival purposes. [View the current version](/terms/looker/security/hipaa)\n*Looker Data Sciences Inc. (Looker) supports Health Insurance Portability and\nAccountability Act (HIPAA) compliance (within the scope of a Business Associate\nAgreement) but ultimately customers are responsible for evaluating their own HIPAA\ncompliance, including when using the Looker Services.* \n**Covered Services**\n\nThe Business Associate Agreement (BAA) covers Looker's Services and Professional\nServices (if any) under a Looker-hosted deployment as described in the applicable\nservices agreement to which the BAA is attached, except that the following are not\ncovered by the BAA (the Excluded Services):\n\n- Any third party Services provided by an entity other than Looker or a Looker Affiliate, including any Services provided by the third-party entities listed at the following link: \u003chttps://looker.com/trust-center/privacy/google-cma-subprocessors\u003e\n- Any API Integration tool that is not secure\n- Any Services that are not generally available such as beta features and previews\n\nIt is your responsibility (i) to configure the Looker software and manage access\nto PHI using the Services in such a way that complies with the BAA (including this\nimplementation guide) and (ii) to manage the risk of using any Excluded Services\nin compliance with your obligations under HIPAA. \n**Customer General Responsibilities**\n\nYou, as the customer, are responsible for ensuring that the environment and\napplications that you connect to the Services and that you rely on when using the\nServices are properly configured and secured according to HIPAA requirements. This\nis often referred to as the shared security model. \n**Your Security Responsibilities**\n\nEssential best practices:\n\n- Execute a BAA. You can request a BAA directly from your account manager.\n- Disable or otherwise ensure that you do not use Services that are not covered by the BAA when working with PHI. To ensure that Services not covered by the BAA are deactivated, you must confirm that [Excluded Services](#excluded-services) are turned off.\n- You are responsible for securing the following and Looker takes no responsibility for any breach that results from:\n - Your environment.\n - Your databases.\n - Your configuration of the Services, including limiting the users' ability to download a report that includes PHI.\n- Your configuration of access permissions and security controls for users and third-parties you authorize to use the Looker Services. \n**Recommended technical best practices when configuring the Services**\n\n- Access Controls\n - Use the \"access filter\" parameter in conjunction with user attributes to apply row, column, or field level data security by user or user group.\n - Limit administrator, developer, and SQL runner access privileges.\n - Limit [support access](https://docs.looker.com/admin-options/settings/support-access) or otherwise ensure that support teams cannot access your Instance.\n- Sharing\n - Set up any API usage between Looker and your vendor in a secure way.\n - Do not share PHI via the Services or instruct Looker to share PHI via the Services (including an API), with a third-party unless a BAA is in place with the third-party.\n - Manage use of the Services such that sharing PHI via email requires the recipient to click on a link within the email message, which redirects to a Looker instance in order to log into the Services for viewing the PHI/content.\n - Do not allow PHI to be sent or attached via support chat.\n - Configure use of the Services to reduce the amount of time query results are cached as these results may include PHI.\n - Restrict the permissions for creating public links.\n - Create and maintain logs when you permit a third party to use aggregated PHI.\n- Secure Configuration\n - Implement industry-standard methods of authenticating users such as two-factor authentication or SAML-supported SSO iDP, and to the extent a user relies on SSO, restrict the \"login_special_email\" permission to a maximum of 2 users.\n - Apply data set security within the Looker model.\n- At least quarterly, perform an audit on all users, groups, permissions, roles, API keys, public links, and additional access controls, sharing, and security configuration. \n**Customer's Database Security Controls**\n\nIn order to use the Services, you must authorize the Services to access your\ndatabases. When granting authorization, each customer shall follow the principle\nof granting the least privilege to its database information.\n\nWhen configuring database security controls, you will:\n\n- ensure that all connections to the database are encrypted in transit, and if using an SSH tunnel connection, that a tunnel server is employed.\n- allow list external access to permit only Looker specific IP addresses.\n- configure the database access to ensure Looker does not have any write or administrative access to the databases."]]
