How to Achieve HIPAA Compliance in BigQuery

How do I make BigQuery HIPAA compliant?

HIPAA compliance in BigQuery means configuring storage, access, and auditing so Protected Health Information (PHI) is stored, processed, and transmitted according to U.S. healthcare regulations.

Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

What does HIPAA compliance mean in BigQuery?

HIPAA compliance in BigQuery requires a signed Business Associate Agreement (BAA), encryption at rest and in transit, strict Identity and Access Management (IAM), detailed audit logging, and controls to limit PHI exposure such as column-level and row-level security.

How do I enable HIPAA compliance quickly?

First, execute a BAA with Google Cloud. Next, enforce Customer-Managed Encryption Keys (CMEK) for every dataset, restrict service accounts, and turn on Cloud Audit Logs for BigQuery. Finally, apply least-privilege IAM roles and automatic data loss prevention (DLP) scans.

Which BigQuery settings are mandatory for HIPAA?

Mandatory settings include CMEK, VPC-Service Controls, complete logging (Admin Activity, Data Access, System Events), and retention policies that meet your organization’s record-keeping requirements (≥6 years for HIPAA).

How do I encrypt PHI with CMEK?

Create a Cloud KMS key, grant the BigQuery service account cloudkms.cryptoKeyEncrypterDecrypter, then create or update the dataset with CMEK specified.

How do I limit access to sensitive columns?

Use BigQuery Column-Level Security. Define a policy tag in Data Catalog, attach it to PHI columns like customers.email or orders.total_amount, and grant access only to roles that need PHI.

Can I segregate PHI using row-level security?

Yes. Row-level security guarantees analysts see only rows they are entitled to, such as the customer records for their territory. Combine this with policy-tagged columns for layered protection.

Best practices for HIPAA BigQuery deployments

Automate CMEK assignment, rotate keys every 90 days, use service perimeter with VPC-SC, version-control IAM via Terraform, and schedule DLP scans to verify no free-text PHI slips into non-tagged columns.

How do I audit access to PHI?

Send BigQuery audit logs to Cloud Logging and export them to BigQuery or a SIEM. Review logs for queries touching PHI policy tags. Use LOGGING_QUERY views to identify unusual access patterns.

Example: Secure an ecommerce dataset

Suppose Customers.email is PHI. Tag it with phi_email, restrict that tag to healthcare_compliance_analyst, and apply CMEK to the dataset. Use row-level security on Orders so analysts see only customers they manage.

Why How to Achieve HIPAA Compliance in BigQuery is important

How to Achieve HIPAA Compliance in BigQuery Example Usage


-- Analyst querying only non-PHI columns
SELECT id, created_at
FROM ecommerce_prod.Customers
WHERE created_at >= DATE_SUB(CURRENT_DATE(), INTERVAL 30 DAY);

-- Compliance officer with PHI access
SELECT id, email, total_amount
FROM ecommerce_prod.Customers c
JOIN ecommerce_prod.Orders o ON c.id = o.customer_id
WHERE o.order_date >= '2024-01-01';

How to Achieve HIPAA Compliance in BigQuery Syntax


-- 1. Create CMEK-protected dataset
CREATE SCHEMA ecommerce_prod
OPTIONS(
  default_kms_key_name='projects/gx-hc/locations/us/keyRings/hipaa-ring/cryptoKeys/bq-cmek'  -- CMEK
);

-- 2. Create table with partition and policy tag on PHI column
CREATE TABLE ecommerce_prod.Customers (
  id INT64,
  name STRING,
  email STRING OPTIONS(policy_tag="phi_email"),
  created_at TIMESTAMP
)
PARTITION BY DATE(created_at);

-- 3. Row-level security to limit analysts to their region
CREATE ROW ACCESS POLICY east_only
ON ecommerce_prod.Customers
GRANT TO ("group:east_analysts@acme.com")
FILTER USING (REGEXP_CONTAINS(email, r"@east\.acme\.com$"));

-- 4. IAM least privilege
GRANT `roles/bigquery.dataViewer` ON SCHEMA ecommerce_prod TO 'user:analyst@acme.com';
REVOKE `roles/bigquery.dataOwner` ON SCHEMA ecommerce_prod FROM 'group:all@acme.com';

Common Mistakes

Ignoring CMEK: Relying on Google-managed encryption keys violates many HIPAA risk-assessment policies. Always assign a Cloud KMS key to every dataset.
Too-broad IAM roles: Granting roles/bigquery.admin to analysts gives PHI download rights. Replace with roles/bigquery.dataViewer plus policy-tag access.