Google Workspace HIPAA Compliance: BAA Requirements and Setup Guide

Sign a Business Associate Agreement

Why the BAA matters

A Business Associate Agreement is the contractual foundation of Google Workspace HIPAA compliance. Without a fully executed BAA, you must not create, store, or transmit Protected Health Information (PHI) in Workspace. The BAA defines shared security responsibilities, permissible uses, breach reporting, and subcontractor handling.

How to execute the BAA

• Confirm your organization is a covered entity or business associate and that your Workspace edition is eligible.
• In the Admin console, navigate to Account > Account settings > Legal and compliance (or a similarly named area), review the HIPAA Business Associate Amendment, and electronically accept it on behalf of your legal entity.
• Record the legal name, signer, date, and version. Save a copy in your compliance repository and update your vendor management register.

Readiness checklist

• Complete a HIPAA risk analysis covering identity, devices, email, file sharing, and third-party add-ons.
• Define a PHI data map and data handling standards that align with the BAA.
• Document escalation paths for security incidents and breach notifications.

Verify Covered Google Workspace Services

Confirm what’s in scope before using PHI

The BAA covers only specific Google Workspace services. You should treat any service not explicitly listed as out of scope for PHI. Coverage can vary by edition and may change, so verify directly in your Admin console and product documentation.

Practical verification steps

• Open the executed BAA in Admin > Account > Legal and compliance and review the “covered services” list.
• Create a service matrix: “PHI-Allowed,” “Restricted,” and “Prohibited.” Share it with IT, security, and all users.
• Cross-check usage reports to ensure teams aren’t using non-covered services for PHI (e.g., through “Additional Google services”).
• Re-verify coverage after major Workspace announcements or edition changes.

Configure Security Settings

Role-Based Access Controls

Implement Role-Based Access Controls to enforce least privilege. Assign granular admin roles (e.g., Help Desk Admin, Groups Admin) rather than super admin whenever possible. Segment users by organizational unit or group to apply PHI-specific policies to those who handle sensitive data.

Multi-Factor Authentication

Enforce Multi-Factor Authentication (2-Step Verification) for all accounts, prioritizing security keys or device prompts. Require enrollment for admins and PHI handlers first, then the entire workforce. Set an enforcement date, provide backup codes, and disable legacy SMS if your risk model requires stronger factors.

Encryption Standards and email security

• At rest: Google encrypts Workspace data at rest; document this as part of your Encryption Standards.
• In transit: Enforce TLS for mail routing; consider MTA-STS and TLS reporting. Where feasible, deploy hosted S/MIME for message-level encryption.
• Integrity and authenticity: Enable DKIM signing and DMARC to combat spoofing that can lead to PHI exposure.

Endpoint and session hardening

• Enable endpoint management with screen lock, disk encryption, OS patch baselines, and remote wipe for lost devices.
• Use context-aware access to restrict high-risk logins and block access from unmanaged or non-compliant devices.
• Limit offline access and printing where PHI is involved.

Disable Unsupported Services

Turn off what the BAA doesn’t cover

Disable any non-covered services to avoid accidental PHI sprawl. Use Admin > Apps to set “Service status” per organizational unit or group so only approved users can access in-scope apps.

Reduce data egress and risky integrations

• Restrict third-party Marketplace apps; allow only vetted apps with signed agreements and minimal scopes.
• Block or review API access via OAuth “App access control” and limit sensitive scopes.
• For Gmail, consider disabling automatic forwarding and restricting POP/IMAP for PHI-handling groups.
• Apply Drive sharing controls: external sharing allowlists, viewer-only access, disable download/copy/print for sensitive folders.

Conduct Staff HIPAA Training

Make training role-specific and practical

Deliver HIPAA Security and Privacy Rule training that shows exactly how to handle PHI in Gmail, Drive, Chat, and Meet. Include phishing awareness, verified external sharing, Meet recording hygiene, and incident reporting. Provide deeper modules for admins on policy configuration and investigations.

Cadence and tracking

• Onboarding within 30 days and annual refreshers, with targeted updates after policy or tool changes.
• Knowledge checks and signed acknowledgments stored for audit readiness.
• Simulated phishing and data handling drills to reinforce real-world behavior.

Monitor Audit Trails and Logs

Achieve Audit Logging Compliance

Establish monitoring that demonstrates Audit Logging Compliance. Use Admin audit logs for admin actions and authentication events, Drive audit for file access and sharing, Gmail log search for message flow, and Meet/Chat logs for collaboration activity. Availability varies by edition; document which logs you collect.

Operationalize reviews and retention

• Stream logs to your SIEM for correlation and alerting. Create alerts for unusual file sharing, forwarding rule creation, mass downloads, and admin privilege changes.
• Define review cadences (daily triage, weekly trend reviews, monthly access certifications) and escalate anomalies.
• Use Vault to retain communications and preserve data for eDiscovery and legal holds according to your retention schedule.

Implement Data Loss Prevention

Design effective Data Loss Prevention Rules

Use DLP to detect and control PHI in Gmail, Drive, and Chat. Start with monitor-only rules, then graduate to user warnings, quarantine, or blocking. Combine predefined detectors (e.g., U.S. Social Security Number) with custom regex for patient IDs or National Provider Identifiers, plus context terms to reduce false positives.

Policy building steps

• Inventory PHI data elements and rank channels by risk (external email, external sharing, unmanaged devices).
• Create tiered rules: warn on low-risk matches, quarantine or block on high-confidence matches and bulk exfiltration.
• Scope by organizational unit or group; add exceptions for trusted services and service accounts with justified need.
• Measure effectiveness: track incident rates, user override reasons, and false-positive ratios, then iterate.

Sustain and improve

Keep rules aligned to evolving workflows. Pair DLP with labels and sharing restrictions so sensitive Drive content remains protected throughout its lifecycle.

Conclusion

Google Workspace HIPAA compliance requires a signed BAA, clear service scoping, strong Role-Based Access Controls, enforced Multi-Factor Authentication, sound Encryption Standards, disciplined service restrictions, rigorous logging with ongoing reviews, and tuned Data Loss Prevention Rules. Treat this as a living program: verify coverage, train people, monitor continuously, and iterate policies to keep PHI safe.

FAQs.

What is a Business Associate Agreement for Google Workspace?

A Business Associate Agreement is a HIPAA-required contract that permits Google to process PHI on your behalf under defined safeguards. It allocates responsibilities between you and Google, specifies breach notification expectations, and lists the Workspace services that are in scope for PHI.

How do I enable multi-factor authentication in Google Workspace?

In the Admin console, go to Security > Authentication > 2-Step Verification, turn it on for your organization, set an enforcement date, and choose allowed factors (prefer security keys or device prompts). Enroll admins and PHI users first, then require MFA for all accounts.

Which Google Workspace services are HIPAA compliant?

Only the services explicitly listed in your executed BAA are considered covered. Common examples include core communication and collaboration apps, but you must confirm coverage in your Admin console and documentation and treat anything not listed as out of scope for PHI.

How can I audit access to PHI in Google Workspace?

Use Admin audit logs, Drive audit logs, Gmail log search, and your alert center or SIEM to track admin actions, logins, file access, sharing changes, and message flow. Set review cadences, export logs for correlation, and retain communications with Vault to support audit and investigative needs.