HIPAA compliance in BigQuery means configuring storage, access, and auditing so Protected Health Information (PHI) is stored, processed, and transmitted according to U.S. healthcare regulations.
HIPAA compliance in BigQuery requires a signed Business Associate Agreement (BAA), encryption at rest and in transit, strict Identity and Access Management (IAM), detailed audit logging, and controls to limit PHI exposure such as column-level and row-level security.
First, execute a BAA with Google Cloud. Next, enforce Customer-Managed Encryption Keys (CMEK) for every dataset, restrict service accounts, and turn on Cloud Audit Logs for BigQuery. Finally, apply least-privilege IAM roles and automatic data loss prevention (DLP) scans.
Mandatory settings include CMEK, VPC-Service Controls, complete logging (Admin Activity, Data Access, System Events), and retention policies that meet your organization’s record-keeping requirements (≥6 years for HIPAA).
Create a Cloud KMS key, grant the BigQuery service account cloudkms.cryptoKeyEncrypterDecrypter
, then create or update the dataset with CMEK specified.
Use BigQuery Column-Level Security. Define a policy tag in Data Catalog, attach it to PHI columns like customers.email
or orders.total_amount
, and grant access only to roles that need PHI.
Yes. Row-level security guarantees analysts see only rows they are entitled to, such as the customer records for their territory. Combine this with policy-tagged columns for layered protection.
Automate CMEK assignment, rotate keys every 90 days, use service perimeter with VPC-SC, version-control IAM via Terraform, and schedule DLP scans to verify no free-text PHI slips into non-tagged columns.
Send BigQuery audit logs to Cloud Logging and export them to BigQuery or a SIEM. Review logs for queries touching PHI policy tags. Use LOGGING_QUERY
views to identify unusual access patterns.
Suppose Customers.email
is PHI. Tag it with phi_email
, restrict that tag to healthcare_compliance_analyst
, and apply CMEK to the dataset. Use row-level security on Orders
so analysts see only customers they manage.
Yes. Submit a request in the Google Cloud Console or through your sales rep. No HIPAA workloads are allowed until the BAA is active.
Strictly speaking, it’s not in HIPAA law, but Google requires VPC-SC for regulated data to prevent data exfiltration from BigQuery.
Query INFORMATION_SCHEMA.COLUMNS
to see is_encrypted
and kms_key_name
. Also review Cloud KMS logs for encrypt/decrypt events.