How to Achieve HIPAA Compliance in BigQuery

Galaxy Glossary

How do I make BigQuery HIPAA compliant?

HIPAA compliance in BigQuery means configuring storage, access, and auditing so Protected Health Information (PHI) is stored, processed, and transmitted according to U.S. healthcare regulations.

Sign up for the latest in SQL knowledge from the Galaxy Team!
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.

Description

Table of Contents

What does HIPAA compliance mean in BigQuery?

HIPAA compliance in BigQuery requires a signed Business Associate Agreement (BAA), encryption at rest and in transit, strict Identity and Access Management (IAM), detailed audit logging, and controls to limit PHI exposure such as column-level and row-level security.

How do I enable HIPAA compliance quickly?

First, execute a BAA with Google Cloud. Next, enforce Customer-Managed Encryption Keys (CMEK) for every dataset, restrict service accounts, and turn on Cloud Audit Logs for BigQuery. Finally, apply least-privilege IAM roles and automatic data loss prevention (DLP) scans.

Which BigQuery settings are mandatory for HIPAA?

Mandatory settings include CMEK, VPC-Service Controls, complete logging (Admin Activity, Data Access, System Events), and retention policies that meet your organization’s record-keeping requirements (≥6 years for HIPAA).

How do I encrypt PHI with CMEK?

Create a Cloud KMS key, grant the BigQuery service account cloudkms.cryptoKeyEncrypterDecrypter, then create or update the dataset with CMEK specified.

How do I limit access to sensitive columns?

Use BigQuery Column-Level Security. Define a policy tag in Data Catalog, attach it to PHI columns like customers.email or orders.total_amount, and grant access only to roles that need PHI.

Can I segregate PHI using row-level security?

Yes. Row-level security guarantees analysts see only rows they are entitled to, such as the customer records for their territory. Combine this with policy-tagged columns for layered protection.

Best practices for HIPAA BigQuery deployments

Automate CMEK assignment, rotate keys every 90 days, use service perimeter with VPC-SC, version-control IAM via Terraform, and schedule DLP scans to verify no free-text PHI slips into non-tagged columns.

How do I audit access to PHI?

Send BigQuery audit logs to Cloud Logging and export them to BigQuery or a SIEM. Review logs for queries touching PHI policy tags. Use LOGGING_QUERY views to identify unusual access patterns.

Example: Secure an ecommerce dataset

Suppose Customers.email is PHI. Tag it with phi_email, restrict that tag to healthcare_compliance_analyst, and apply CMEK to the dataset. Use row-level security on Orders so analysts see only customers they manage.

Why How to Achieve HIPAA Compliance in BigQuery is important

How to Achieve HIPAA Compliance in BigQuery Example Usage


-- Analyst querying only non-PHI columns
SELECT id, created_at
FROM ecommerce_prod.Customers
WHERE created_at >= DATE_SUB(CURRENT_DATE(), INTERVAL 30 DAY);

-- Compliance officer with PHI access
SELECT id, email, total_amount
FROM ecommerce_prod.Customers c
JOIN ecommerce_prod.Orders o ON c.id = o.customer_id
WHERE o.order_date >= '2024-01-01';

How to Achieve HIPAA Compliance in BigQuery Syntax


-- 1. Create CMEK-protected dataset
CREATE SCHEMA ecommerce_prod
OPTIONS(
  default_kms_key_name='projects/gx-hc/locations/us/keyRings/hipaa-ring/cryptoKeys/bq-cmek'  -- CMEK
);

-- 2. Create table with partition and policy tag on PHI column
CREATE TABLE ecommerce_prod.Customers (
  id INT64,
  name STRING,
  email STRING OPTIONS(policy_tag="phi_email"),
  created_at TIMESTAMP
)
PARTITION BY DATE(created_at);

-- 3. Row-level security to limit analysts to their region
CREATE ROW ACCESS POLICY east_only
ON ecommerce_prod.Customers
GRANT TO ("group:east_analysts@acme.com")
FILTER USING (REGEXP_CONTAINS(email, r"@east\.acme\.com$"));

-- 4. IAM least privilege
GRANT `roles/bigquery.dataViewer` ON SCHEMA ecommerce_prod TO 'user:analyst@acme.com';
REVOKE `roles/bigquery.dataOwner` ON SCHEMA ecommerce_prod FROM 'group:all@acme.com';

Common Mistakes

Frequently Asked Questions (FAQs)

Does Google sign a BAA for BigQuery?

Yes. Submit a request in the Google Cloud Console or through your sales rep. No HIPAA workloads are allowed until the BAA is active.

Is VPC Service Controls mandatory?

Strictly speaking, it’s not in HIPAA law, but Google requires VPC-SC for regulated data to prevent data exfiltration from BigQuery.

How do I verify encryption?

Query INFORMATION_SCHEMA.COLUMNS to see is_encrypted and kms_key_name. Also review Cloud KMS logs for encrypt/decrypt events.

Want to learn about other SQL terms?

Trusted by top engineers on high-velocity teams
Aryeo Logo
Assort Health
Curri
Rubie Logo
Bauhealth Logo
Truvideo Logo
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.