I am building a project that needs to store some patient data, and it should work with HIPAA compliance since it this is medical information.
is it possible to do this using firebase databases like cloud firestore or realtime database in 2021? If so, how can I sign a BAA for cloud firestore?
To be under HIPAA compliance the product must be aligned with ISO/IEC 27001, 27017 and 27018 certifications and SOC 2 report as mentioned here. From this document it is clear that Cloud Firestore meets all the requirements while Firebase Realtime Database doesn’t meet all the requirements and in this document Cloud Firestore is listed under the Google Cloud services in scope for HIPAA while Firebase Realtime Database is not listed. So Cloud Firestore is covered under HIPAA compliance and Firebase Realtime Database is not covered.
To execute a Business Associate Agreement (BAA) you should contact your Account Manager as mentioned here.
It seems firestore is covered under the google cloud BAA and can be used for HIPAA compliant work. But for now, you can't use firebase auth with it, since firebase auth isn't covered under google cloud BAA.
So, using firestore with your own authentication, seems to be the option. Google cloud Identity Platform is also covered under the BAA. more info