MI-Squared prefers GCP for our hosted EMR environments for the combination of cost, sociability, reliability, ease of use and the convenience of HIPAA BAA. We have also had experience with AWS, Microsoft Azure, and Linode, but we have found GCP to be the best overall solution for our needs.
In this article we describe how to configure your GCP account to allow access for your IT service provider access to your cloud computing resources. If you are in need of IT support, or OpenEMR user support, feel free to send an email to [email protected]
1. Login or Create a Google Account
If you do not have a Google Account, first you must create one. Browse to https://accounts.google.com/signup and fill in the required details. To make it easier to sign a HIPAA BAA with Google, we recommend using a Google Suite account, which is explained below. Please contact Google Support if you have questions about BAA.
2. Initialize Your GCP Account
Once you have created, and logged into your Google account, browse to https://console.cloud.google.com/. After reading and agreeing to the GCP terms of service, you will have initialized your account. You may see an offer for a free trial in the upper right corner of the browser. You will want to accept this offer, as it will save you some money over the first year of your activation. Simply click through, and add your business details and your billing information.
3. Create a Project
Google may have already created a default project for you called “My First Project.” If so, Click on “My First Project” in the projects drop-down on the top navigation bar. If there is no project, you can click “Create Project” on the top bar.
You will need to change the name from “My First Project” to something meaningful. You may change the project settings by flicking on the top-left sandwich icon (to show the menu) and then browsing to I AM Admin > Settings. Change the project name to your company name and the purpose of the project, like “ACME Health EMR.” This will help your IT provider identify your project in their list of projects if you provider maintains many applications hosted on GCP.
4. Add IT Person as Editor and Service Networking Admin
Now, in order to allow your third party IT staff to access your cloud computing resources, you will need to add them as an Editor. This role allows the IT person to add, remove, start, VMs and Persistent disks, networks, and CloudSQL, but restricts access to billing and other business sections.
Log into GCP admin console at https://console.cloud.google.com
From the “I AM & Admin” Menu, click “I AM” at the top of the left navigation bar. This will bring you to the screen where you control users and roles for accessing your GCP computing resources.
Click the “Add +” button at the top of the “I AM” screen. This will bring up a modal dialog where you will enter the email address of the user to whom you would like to grant access. First enter the user’s email address. Then click “Select Role” and select Project > Editor from the menu.
Next, click the “+ Add Another Role” button. This will create another dropdown. Click “Select a Role” and in the modal dialog that appears, select Service Networking > Service Network Admin from the menu.
Click save and make sure to notify the IT person that you have added them to your organization.
Google does not send a notification about this event.
5. HIPAA BAA
You may be required to set up a BAA with GCP https://cloud.google.com/security/compliance/hipaa/
If you are using GSuite, it is easier to find and sign the BAA
- Login to G Suite as an admin
- Go to Account Settings > Legal & Compliance > Security and Privacy Additional Terms (at the bottom of the page)
- There you will find G Suite/Cloud Identity HIPAA Business Associate Amendment