How to Make Google Workspace HIPAA Compliant: BAA, Settings, and Best Practices

Making Google Workspace HIPAA compliant is a structured, repeatable process. You combine the right subscription, a signed Business Associate Agreement, disciplined configuration, and ongoing oversight to safeguard Protected Health Information (PHI).

This guide walks you step by step—from plan selection and BAA execution to security hardening, Compliance Training, monitoring Audit Logs, and building effective Data Loss Prevention (DLP) controls—so you can meet HIPAA’s administrative, physical, and technical safeguard requirements.

Select Eligible Google Workspace Plan

Start by choosing a Google Workspace edition that supports a HIPAA Business Associate Agreement and provides the controls you need. Practically, you want features such as Vault (for legal hold and retention), advanced Audit Logs, context-aware access, endpoint management, and native DLP.

• Confirm that your edition allows signing a Business Associate Agreement and covers the core services you plan to use with PHI.
• Prioritize editions that include Vault, granular Access Controls, advanced sharing restrictions, and alerting/investigation tools.
• Assess native security features you’ll rely on: Multi-Factor Authentication (MFA), client-side encryption options, S/MIME, context-aware access, and device posture checks.
• Plan for scale: ensure APIs, BigQuery export, or SIEM integration are available if you need centralized logging or analytics.
• Create separate organizational units (OUs) or groups for workforces that handle PHI versus those that do not; you’ll apply tighter policies to PHI OUs.

Sign Business Associate Agreement

A signed Business Associate Agreement (BAA) with Google is mandatory before storing or transmitting PHI in Workspace. The BAA defines each party’s responsibilities and lists the “HIPAA included functionality” for covered services.

• Have a super admin review and accept the HIPAA BAA in the Admin console (under your account’s legal or compliance terms area).
• Document the date, who accepted, and the domains and services in scope; retain a copy with your compliance records.
• Limit PHI to services explicitly covered by the BAA; treat all other services as non-compliant and disable them for PHI users.
• Map BAA obligations to your HIPAA policies: breach notification contacts, subcontractor flow-downs, and access request processes.

Disable Unsupported Services

HIPAA only applies to services identified in the BAA. To prevent inadvertent exposure, disable any unsupported or non-covered services for users and OUs that handle PHI.

• Turn off Additional Google services not covered by the BAA (for example, consumer-focused products like YouTube, Maps, or Photos) for your PHI-handling OUs.
• Disable unvetted Marketplace add-ons and extensions; only allow third-party apps that have been contractually vetted and restricted via Access Controls.
• Review emerging features (especially AI/experimental capabilities) and keep them off unless they’re explicitly designated for HIPAA use.
• Block personal Google account sign-ins on managed devices to reduce the risk of data crossing into non-enterprise contexts.

Configure Security Settings

With eligible services enabled, harden your environment using layered Access Controls. Aim for strong identity assurance, least-privilege permissions, secure communications, and tight sharing boundaries.

Identity and Access Controls

• Enforce Multi-Factor Authentication for all users, with phishing-resistant methods for admins and high-risk roles.
• Use context-aware access to restrict by device posture, network, and geolocation; block legacy protocols and less secure app access.
• Apply least privilege: assign granular admin roles, use security groups for entitlements, and regularly review privileged access.
• Require strong passwords, enable login challenge protections, and auto-revoke sessions on risk signals.

Email and Communication Security

• Require TLS for mail transport; enable S/MIME where feasible for message-level protection.
• Disable external auto-forwarding; tightly control IMAP/POP and third-party mail clients.
• Apply content compliance rules to flag PHI patterns and display warnings before external sends.
• For Chat and Meet, restrict external communications for PHI users and control recording/retention settings.

Drive and File Controls

• Set default internal-only sharing for PHI OUs; allow external sharing only by exception and to allow-listed domains.
• Disable public links; require sign-in to view; prevent download/print/copy for sensitive files using information rights controls.
• Use Drive labels/classification to mark PHI content and trigger conditional Access Controls and DLP rules.
• Enable client-side encryption where appropriate for heightened confidentiality needs.

Devices and Endpoints

• Turn on endpoint management; require disk encryption, strong screen locks, OS version minimums, and remote wipe.
• Require managed browsers or profiles; block unmanaged devices from accessing PHI OUs via context-aware access.
• Audit mobile app usage; restrict copy/paste and offline access for highly sensitive data if business workflows allow.

Retention, eDiscovery, and Privacy

• Configure Vault retention for PHI-bearing services; apply legal holds as needed and define defensible retention schedules.
• Use data regions if required by your policy; document where PHI resides.
• Minimize data by default: purge transient data where feasible and limit long-lived archives to what policy requires.

Train Staff on HIPAA Compliance

Technology alone won’t keep PHI safe. Deliver role-based Compliance Training that teaches people how to handle PHI correctly in Gmail, Drive, Chat, and Meet—and how to react to potential incidents.

• Explain what counts as Protected Health Information and the “minimum necessary” standard for use and disclosure.
• Demonstrate safe sharing in Drive (no public links, verify recipients, label files) and secure email behaviors (no auto-forwarding, double-check external recipients).
• Coach staff to spot phishing and social engineering; provide one-click reporting and clear escalation paths.
• Clarify which services are approved for PHI and which are not; emphasize consequences of using unsupported apps.
• Track completion, maintain training records, and refresh at least annually or when major features/policies change.

Monitor Account Activity

Continuous monitoring shows whether your controls work and helps you respond quickly. Use Audit Logs, alerts, and investigation tools to detect risky behavior, anomalous access, and potential data leakage.

• Enable and regularly review Audit Logs for admin actions, logins, email, Drive, and device events; export to your SIEM for correlation.
• Set alerts for suspicious logins, excessive file sharing, DLP violations, bulk downloads, and privilege changes.
• Use the investigation tool (where available) to pivot on user, file, or event and rapidly contain incidents.
• Schedule periodic access reviews for privileged roles and sensitive shared drives; remediate overexposure.
• Test your incident response runbooks with tabletop exercises focused on PHI scenarios.

Implement Data Loss Prevention Rules

DLP is your safety net for PHI. Build targeted rules for Gmail, Drive, and Chat that detect identifiers and high-risk patterns, apply just-in-time coaching, and block or quarantine when policy demands.

DLP for Gmail

• Detect PHI identifiers (names + DOB, medical record numbers, claim IDs) and display context-aware warnings before external sends.
• Quarantine or reject high-risk messages; require justification and manager approval for edge cases.
• Strip or encrypt sensitive attachments automatically; block external auto-forwarding for PHI OUs.
• Use sender-aware policies: stricter enforcement for service accounts and shared mailboxes.

DLP for Drive and Chat

• Apply Drive DLP to prevent external sharing of PHI files; auto-change link settings to internal-only when PHI is detected.
• Combine labels with DLP: mark documents as “PHI” to trigger stronger sharing and download restrictions.
• Monitor large downloads, file ownership transfers, and external domain shares; alert on abnormalities.
• Use Chat DLP to block posting of PHI in public spaces and external rooms; route violations to security for review.

Tuning and Exception Handling

• Start in audit-only mode to measure false positives; iterate on custom detectors for local ID formats and medical terminology.
• Whitelist trusted partners and secure channels where contracts exist; log and periodically recertify all exceptions.
• Pair DLP events with user coaching to reduce repeat violations and reinforce policy intent.

Conclusion

HIPAA readiness in Google Workspace rests on seven pillars: an eligible plan, a signed BAA, tight Access Controls, secure configurations, strong Compliance Training, vigilant monitoring of Audit Logs, and thoughtful DLP. Treat these as an ongoing program, not a one-time project, and you’ll keep PHI protected while enabling efficient collaboration.

FAQs

What Google Workspace plans are eligible for HIPAA compliance?

Any plan that permits executing Google’s HIPAA Business Associate Agreement and supports required safeguards can be used. In practice, organizations commonly choose Business Plus or Enterprise editions because they include Vault, advanced Audit Logs, DLP, and investigation tools needed to meet HIPAA’s technical and administrative safeguards. Always verify current eligibility and features in your Admin console or with Google before enabling PHI.

How do you sign a HIPAA BAA with Google?

A super admin reviews and accepts the HIPAA Business Associate Amendment in the Admin console’s legal/compliance section. Confirm your organization’s covered-entity or business-associate status, identify the domains in scope, and accept the terms. Save the executed BAA, record the acceptance details, and restrict PHI to services listed as covered in the BAA.

Which Google services are excluded from HIPAA coverage?

Any service not explicitly listed as covered in the BAA is excluded. That typically includes consumer-focused offerings (for example, YouTube, Maps, Photos), unvetted Marketplace apps or extensions, and experimental or AI features not designated as HIPAA-enabled. Disable these for PHI users and route all PHI only through covered services and approved workflows.

What are the key security settings to configure for HIPAA compliance?

Enforce Multi-Factor Authentication, least-privilege admin roles, and context-aware access; require TLS and consider S/MIME for email; disable external auto-forwarding and legacy protocols; lock down Drive sharing with internal defaults and labels; turn on endpoint management with encryption and remote wipe; configure Vault retention and legal holds; export and review Audit Logs; and implement DLP for Gmail, Drive, and Chat with just-in-time coaching and quarantine for violations.