HIPAA Compliance Checklist โ GCP
Stack: Cloud Run ยท Cloud SQL ยท Cloud Memorystore (Redis) Status legend:
[ ]Not started ยท[~]In progress ยท[x]Complete
Before processing real PHI
Do not process real PHI until every checklist item is marked [x]. Use synthetic data in all development and testing environments.
1. Business Associate Agreement (BAA)โ
| # | Item | Status | Owner |
|---|---|---|---|
| 1.1 | Sign Google Cloud BAA via GCP Console (Compliance > HIPAA) | [ ] | Cloud Admin |
| 1.2 | Verify all HIPAA-eligible services are covered under the BAA | [ ] | Cloud Admin |
| 1.3 | Store a copy of the signed BAA in compliance records | [ ] | Compliance Officer |
| 1.4 | Review BAA annually and after major architectural changes | [ ] | Compliance Officer |
Reference: BAA & GCP Setup โ
2. GCP Project & Organization Setupโ
| # | Item | Status | Owner |
|---|---|---|---|
| 2.1 | Create a dedicated GCP project exclusively for PHI workloads | [ ] | Cloud Admin |
| 2.2 | Enable Organization Policy constraints (resource location, etc.) | [ ] | Cloud Admin |
| 2.3 | Restrict resource locations to approved US regions only | [ ] | Cloud Admin |
| 2.4 | Enable VPC Service Controls to create a security perimeter | [ ] | Cloud Admin |
| 2.5 | Enable Google Cloud Security Command Center (SCC) | [ ] | Security Team |
| 2.6 | Tag all PHI-related resources with data-sensitivity: phi | [ ] | Cloud Admin |
3. IAM & Access Controlโ
| # | Item | Status | Owner |
|---|---|---|---|
| 3.1 | Apply principle of least privilege to all IAM roles | [ ] | Cloud Admin |
| 3.2 | Eliminate primitive roles (Owner, Editor, Viewer) on PHI projects | [ ] | Cloud Admin |
| 3.3 | Enforce MFA for all accounts with PHI access | [ ] | IT Security |
| 3.4 | Use Workload Identity instead of service account keys | [ ] | Cloud Admin |
| 3.5 | Rotate service account keys every 90 days (if keys must be used) | [ ] | Cloud Admin |
| 3.6 | Disable and remove unused service accounts | [ ] | Cloud Admin |
| 3.7 | Review IAM bindings quarterly | [ ] | Security Team |
Reference: IAM & Access Control โ
4. Cloud Runโ
| # | Item | Status | Owner |
|---|---|---|---|
| 4.1 | Confirm Cloud Run is covered under the signed BAA | [ ] | Cloud Admin |
| 4.2 | Deploy in an approved US region | [ ] | Developer |
| 4.3 | Set --ingress=internal-and-cloud-load-balancing | [ ] | Developer |
| 4.4 | Set --no-allow-unauthenticated | [ ] | Developer |
| 4.5 | Enable VPC Connector for private traffic | [ ] | Cloud Admin |
| 4.6 | Use dedicated per-service service account | [ ] | Cloud Admin |
| 4.7 | Store all secrets in Secret Manager (--set-secrets) | [ ] | Developer |
| 4.8 | Never log PHI in container stdout/stderr | [ ] | Developer |
| 4.9 | Enable Cloud Armor WAF in front of the Load Balancer | [ ] | Security Team |
| 4.10 | Enable container image vulnerability scanning | [ ] | Security Team |
| 4.11 | Run container as non-root user in Dockerfile | [ ] | Developer |
Reference: Cloud Run โ
5. Database (Cloud SQL)โ
| # | Item | Status | Owner |
|---|---|---|---|
| 5.1 | Disable public IP on Cloud SQL; use Private IP only | [ ] | Cloud Admin |
| 5.2 | Enable SSL/TLS (require_ssl = true) | [ ] | Developer |
| 5.3 | Use Cloud SQL Auth Proxy for all connections | [ ] | Developer |
| 5.4 | Enable CMEK via Cloud KMS | [ ] | Security Team |
| 5.5 | Enable automated backups with PITR (7-day log window) | [ ] | Cloud Admin |
| 5.6 | Test backup restore quarterly | [ ] | Cloud Admin |
| 5.7 | Enable Cloud SQL audit logging (Data Access logs) | [ ] | Cloud Admin |
| 5.8 | Apply column-level encryption for SSN, diagnosis codes | [ ] | Developer |
Reference: Database โ
6. Redis (Cloud Memorystore)โ
| # | Item | Status | Owner |
|---|---|---|---|
| 6.1 | Deploy within private VPC (no public IP) | [ ] | Cloud Admin |
| 6.2 | Enable TLS (--transit-encryption-mode=SERVER_AUTHENTICATION) | [ ] | Developer |
| 6.3 | Enable AUTH (--auth-enabled) | [ ] | Cloud Admin |
| 6.4 | Do NOT store raw PHI in Redis | [ ] | Developer |
| 6.5 | Set TTL on all PHI-adjacent keys (max 30 min for sessions) | [ ] | Developer |
| 6.6 | Restrict access via VPC firewall rules | [ ] | Cloud Admin |
Reference: Redis โ
7. Encryptionโ
| # | Item | Status | Owner |
|---|---|---|---|
| 7.1 | Enable CMEK for Cloud SQL | [ ] | Security Team |
| 7.2 | Enable CMEK for Cloud Storage (audit log bucket) | [ ] | Security Team |
| 7.3 | Enable KMS key rotation (90-day period) | [ ] | Security Team |
| 7.4 | Enforce TLS 1.2+ via SSL policy RESTRICTED on Load Balancer | [ ] | Developer |
| 7.5 | Enable HSTS header in application | [ ] | Developer |
| 7.6 | Manage all secrets via Secret Manager | [ ] | Developer |
Reference: Encryption โ
8. Network Securityโ
| # | Item | Status | Owner |
|---|---|---|---|
| 8.1 | Use custom VPC (delete default) | [ ] | Cloud Admin |
| 8.2 | No public IPs on Cloud SQL or Redis | [ ] | Cloud Admin |
| 8.3 | VPC Connector for Cloud Run โ private services | [ ] | Cloud Admin |
| 8.4 | Cloud NAT for outbound internet access | [ ] | Cloud Admin |
| 8.5 | Enable VPC Service Controls perimeter | [ ] | Cloud Admin |
| 8.6 | Enable Cloud Armor WAF + DDoS protection | [ ] | Security Team |
| 8.7 | Enable VPC Flow Logs | [ ] | Cloud Admin |
Reference: Network Security โ
9. Audit Loggingโ
| # | Item | Status | Owner |
|---|---|---|---|
| 9.1 | Enable Data Access audit logs for all PHI services | [ ] | Cloud Admin |
| 9.2 | Export audit logs to Cloud Storage | [ ] | Cloud Admin |
| 9.3 | Apply 6-year locked retention policy on log bucket | [ ] | Cloud Admin |
| 9.4 | Implement application-level PHI access audit logging | [ ] | Developer |
| 9.5 | Configure security alerts (failed logins, IAM changes, VPC-SC violations) | [ ] | Security Team |
Reference: Audit Logging โ
10. Incident Responseโ
| # | Item | Status | Owner |
|---|---|---|---|
| 10.1 | Document and publish an Incident Response Plan | [ ] | Compliance Officer |
| 10.2 | Assign HIPAA Privacy Officer and Security Officer | [ ] | Management |
| 10.3 | Define breach notification SLAs (HHS: 60 days) | [ ] | Compliance Officer |
| 10.4 | Test backup restoration annually | [ ] | Cloud Admin |
| 10.5 | Conduct tabletop incident response exercise annually | [ ] | Security Team |
Reference: Incident Response โ
11. Risk Assessment & Policiesโ
| # | Item | Status | Owner |
|---|---|---|---|
| 11.1 | Conduct and document initial HIPAA Risk Assessment | [ ] | Compliance Officer |
| 11.2 | Maintain a Risk Register with mitigations and owners | [ ] | Compliance Officer |
| 11.3 | Create and distribute HIPAA Policies & Procedures | [ ] | Compliance Officer |
| 11.4 | Conduct HIPAA security training for all workforce | [ ] | HR / Compliance |
| 11.5 | Maintain list of all Business Associates and their BAAs | [ ] | Compliance Officer |
Reference: Risk Assessment โ