I'm designing a mobile application that uses Identity Platform and Firestore to store customer's PHI records. Both Identity Platform and Firestore are mentioned as products covered by Google Cloud BAA. Will that architecture solution also fit HIPAA? I have found a tutorial at Cloud Architecture Center https://cloud.google.com/architecture/authenticating-users-to-firestore-with-identity-platform-and-google-identities and want to be sure that example fits HIPAA requirements.
Natively, the user is able to read and access that information associated with the identity platform once logged in, this also includes any custom claims that would be associated with the user. Beyond that, the user is normally identified by their UID and only has basic information stored on their auth object (email, phone number), none of this pertains to HIPAA requirements.
HIPAA mostly associates with medical records themselves which is where personal information, documents, and other records are stored within your database's (Realtime db, Firestore, Storage)
Allowing access to these documents is what would make your architecture HIPAA compliant and can be done through several means, cloud functions, direct access from within the project app, or encrypted email.
The structure to build a HIPAA compliant database would be to add all the record data as a child node to the users UID: such as users/user_id/records.json
users:{
user_id:{
profile:{
address: "blank street",
name: "John Smith"
},
records:{
record_id:{
date:"some date"
doctor: "Jane Dohne"
other:"fields"
}
}
}
Security Rules
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid"
}
}
}
}