HIPAA Compliance for Google Workspace: Is It Compliant and How to Set It Up (BAA, Security Settings)

Overview of HIPAA Compliance in Google Workspace

Google Workspace can support HIPAA requirements when you execute the Business Associate Addendum (BAA), restrict Protected Health Information (PHI) to covered services, and configure appropriate technical and administrative safeguards. Google acts as a Business Associate under the BAA, but you remain responsible for how PHI is created, stored, shared, and retained.

Effective compliance in Workspace rests on four pillars: signing the BAA in your Legal & Compliance Settings, using only covered services for PHI, enabling security controls like Multi-Factor Authentication (MFA), Data Loss Prevention (DLP), Audit Logs, and Retention Policies, and continuously training staff with documented procedures and oversight.

Before migrating PHI, complete a risk analysis, map PHI data flows, define allowed/blocked services, and decide on data regions and retention. Then operationalize monitoring with alerting and periodic audits so your safeguards keep pace with organizational change.

Covered Google Workspace Services under BAA

The BAA applies to specific Google Workspace Core Services. Confirm coverage for your edition in the Admin console, then limit PHI to the following commonly covered services:

• Gmail (email and attachments, with transport security and optional S/MIME)
• Google Calendar
• Google Drive and Shared Drives
• Google Docs, Sheets, Slides, and Forms
• Google Sites
• Google Keep
• Google Chat (direct messages and Spaces)
• Google Meet (video meetings and recordings stored in Drive)
• Google Vault for eDiscovery, Legal Holds, and Retention Policies

Admin tools such as the Admin console, Alert Center, and Audit Logs support compliance operations and should be used to monitor PHI-related activity and enforce policy.

Excluded Services from HIPAA Coverage

Do not store or transmit PHI in Google services that are not covered by the Workspace BAA. Common examples include:

• Google Photos and YouTube (including live streams and comments)
• Google Analytics and Google Ads
• Google Maps, Google Translate, and Google Earth
• Blogger and other “Additional Google services” not designated as covered
• Consumer Google accounts and personal drives outside your managed domain
• Third‑party Marketplace add‑ons or integrations unless you have a separate BAA with the vendor

Block access to excluded services where possible, and clearly instruct users that PHI must never be uploaded or shared in these applications.

Steps to Sign the Google BAA

Prerequisites

• Use an eligible, paid Google Workspace edition and be a HIPAA Covered Entity or Business Associate.
• Hold Super Admin privileges for the primary domain.
• Decide which covered services you will permit for PHI and how you will enforce those choices.

How to accept the BAA

1. Sign in to the Admin console as a Super Admin.
2. Navigate to Account > Account settings > Legal & Compliance Settings.
3. Open the Business Associate Addendum (BAA) (sometimes labeled Business Associate Agreement).
4. Review the terms, confirm your organization’s status, and acknowledge service limitations for PHI.
5. Enter the legal entity name and authorized signatory details, then select Accept.
6. Download or record proof of acceptance and store it with your compliance documentation.

After acceptance

• Publish an internal list of permitted services for PHI and block excluded ones.
• Implement required security controls, Retention Policies in Vault, and monitoring via Audit Logs.
• Update policies, train staff, and schedule periodic reviews to verify ongoing adherence.

Configuring Security Settings for HIPAA

Identity and access controls

• Require Multi-Factor Authentication for all users and admins; prefer security keys or passkeys for privileged roles.
• Apply least-privilege Admin roles and enable login challenge prompts and session length controls.
• Use context-aware access to restrict PHI access by device posture, IP, and user risk.

Email and messaging protections

• Enforce TLS for inbound and outbound Gmail; add compliance rules to reject or quarantine when TLS isn’t available.
• Deploy hosted S/MIME for sensitive mail; require S/MIME for messages containing PHI where feasible.
• Disable automatic external forwarding and legacy protocols you do not need; restrict IMAP/POP and third‑party mail clients.
• Use Gmail compliance footers and routing rules to tag sensitivity and route exceptions to review.

Data controls and sharing

• Restrict Drive external sharing; disallow “Anyone with the link,” require sign‑in, and limit sharing to trusted domains.
• Use Shared Drives with tightly scoped roles; disable download/print/copy for PHI‑labeled files when possible.
• Limit external Chat and Meet participation; require host controls, lobby, and recording safeguards.

Endpoint management

• Enable device management for desktops and mobile; enforce screen lock, disk encryption, and OS update baselines.
• Require work profiles on Android and managed Apple IDs or MDM profiles on iOS/iPadOS; enable remote wipe.
• Disable unsanctioned sync clients and restrict local file caching for PHI where policy requires.

Monitoring, Audit Logs, and alerts

• Continuously review Admin, Drive, Gmail, and Login Audit Logs for anomalous access and sharing.
• Set Alert Center rules for suspicious sign‑ins, mass downloads, external sharing spikes, and DLP violations.
• Export logs to your SIEM or BigQuery for correlation, retention, and investigation workflows.

Data regions and Retention Policies

• Optionally set data regions (for example, United States) to meet organizational data residency needs.
• Use Google Vault to define Retention Policies for PHI across Gmail, Drive, Chat, and Meet recordings.
• Apply Legal Holds for investigations and maintain defensible, well-documented retention schedules.

Third‑party apps and add‑ons

• Use OAuth app access control to allow only vetted apps; block unverified or unnecessary scopes.
• Require separate BAAs with any third‑party handling PHI and review their security attestations.

Implementing Data Loss Prevention Policies

Plan and discovery

• Inventory PHI types (e.g., medical record numbers, claim numbers, NPI, diagnosis/procedure codes) and target flows at risk.
• Define actions by severity: warn, quarantine, block, or encrypt; start in “audit only” to tune for false positives.

Gmail DLP

• Create outbound rules that scan messages to external recipients for PHI indicators.
• Trigger S/MIME enforcement, add warnings, quarantine for review, or reject with user guidance.

Drive DLP

• Detect PHI in Drive and Shared Drives using predefined and custom detectors (regex, dictionaries, Exact Data Match).
• Automatically remove external collaborators, block link sharing, or disable download/print/copy on matched files.
• Use labels or classifications (e.g., “PHI”) to drive conditional sharing and endpoint restrictions.

Chat and Meet safeguards

• Apply DLP to Chat messages and attachments; restrict external Chat where PHI is involved.
• Control Meet recordings: limit who can record, store only in managed Drive, and apply Vault retention.

Endpoint DLP (Chrome)

• Restrict copy/paste, printing, screenshots, and saving to USB or personal storage for PHI‑labeled content.
• Surface user just‑in‑time prompts to reduce accidental exfiltration and improve awareness.

Operations and reporting

• Route DLP incidents to a defined response team; document triage, remediation, and user coaching steps.
• Track metrics such as incident volume, mean time to resolution, and recurrence to guide improvements.

Staff Training and Awareness Programs

Core topics for all users

• What counts as Protected Health Information (PHI) and exactly where PHI may be stored or shared in Google Workspace.
• How to send PHI securely in Gmail (TLS/S/MIME), use Drive sharing safely, and recognize phishing.
• Prohibited tools for PHI (e.g., Google Photos, YouTube) and how to report suspected disclosures.

Role‑based training

• Clinicians and staff: minimum necessary access, recipient verification, and secure collaboration practices.
• Admins: configuration baselines, Audit Logs, DLP tuning, Retention Policies, and Legal & Compliance Settings.

Reinforcement and accountability

• Maintain policy acknowledgments, completion records, and periodic refreshers.
• Run simulated phishing and targeted micro‑learnings based on recurring incident patterns.

Conclusion

HIPAA in Google Workspace hinges on three things: a signed Business Associate Addendum, disciplined use of covered services, and well‑tuned safeguards spanning MFA, DLP, Audit Logs, and Retention Policies. Pair these controls with clear policies and recurring training, and you can confidently manage PHI in Workspace.

FAQs

Which Google Workspace services are covered under the HIPAA BAA?

The BAA generally covers Core Services such as Gmail, Calendar, Drive and Shared Drives, Docs, Sheets, Slides, Forms, Sites, Keep, Google Chat, Google Meet, and Google Vault. Always confirm coverage for your specific edition in the Admin console and limit PHI to those services only.

How do I sign the Business Associate Addendum with Google?

Sign in as a Super Admin and go to Account > Account settings > Legal & Compliance Settings. Open the Business Associate Addendum, review the terms, attest to your status, enter the authorized details, and select Accept. Save proof of acceptance with your compliance records.

What security settings are necessary for HIPAA compliance?

At minimum, enforce Multi-Factor Authentication, least‑privilege admin roles, TLS and S/MIME for sensitive email, strict Drive sharing controls, device management with encryption, DLP for Gmail/Drive/Chat, continuous monitoring via Audit Logs and alerts, and Retention Policies in Google Vault.

Can Google Photos or YouTube be used for PHI?

No. Google Photos and YouTube are not covered by the Workspace BAA. Do not upload, store, or share PHI in these services; block or restrict access and train users to keep PHI within covered Google Workspace services.