Is Firebase HIPAA Compliant? BAA, Covered Services, and How to Use It Safely

Firebase HIPAA Compliance Status

Strictly speaking, “Firebase” as a brand is not itself a certified HIPAA platform. HIPAA compliance on Google’s cloud is a shared-responsibility model and is available only when you use Google Cloud’s Covered Services under a signed Business Associate Agreement (BAA) and configure them correctly. In practice, some Firebase-accessible capabilities map to HIPAA‑eligible Google Cloud products, while many others do not and therefore must not handle Protected Health Information (PHI) or Electronic PHI (ePHI). ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

As of May 20, 2026, Google’s official “HIPAA Compliance on Google Cloud” page lists the Covered Products under the Google Cloud BAA; that list includes Identity Platform (for authentication), Firestore (database), and Cloud Storage (storage). Features branded purely as “Firebase” that are not present on that Covered Products list should be considered not HIPAA‑eligible and kept away from PHI. Always check the current Covered Products list before you deploy. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Google Cloud Platform HIPAA Compliance

Google will enter into a HIPAA BAA with customers and supports HIPAA requirements on its infrastructure when you confine PHI to the official “Covered Products.” The BAA itself states it applies only to those Covered Services; using any non‑covered feature with PHI is out of scope. There is no formal HHS “HIPAA certification”; compliance is achieved by using covered services properly and meeting the Security, Privacy, and Breach Notification Rules. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?utm_source=openai))

Google’s guidance also emphasizes core controls you must implement on your side: disable or avoid non‑covered products for PHI, enforce access through IAM, and enable comprehensive audit logging and retention. These are foundational to demonstrating compliance and to proving that you have effective audit controls. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Firebase Services and PHI

Authentication

For apps that will handle PHI, use Identity Platform (a Covered Product) instead of plain Firebase Authentication. Identity Platform supports HIPAA when used under a signed BAA and with appropriate configuration (for example, avoid storing PHI in user profile attributes or custom claims). ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/identity-platform))

Databases

Use Firestore for PHI only after executing the BAA and implementing data minimization, role‑based access, network controls, and logging. Firestore supports default encryption at rest and also offers customer‑managed encryption keys (CMEK) via Cloud KMS when you need to control keys for compliance. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

File storage

Use Cloud Storage (the underlying store for “Cloud Storage for Firebase”) for files that include PHI, with server‑side encryption, bucket‑level IAM, retention, versioning, and access logging enabled. Treat the Firebase console conveniences as a control plane for the underlying Covered Product and keep PHI strictly within the covered storage buckets. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Services to avoid for PHI

Because HIPAA coverage is limited to the official Covered Products list, Firebase features that do not appear on that list (for example, Analytics, Crashlytics, Predictions, In‑App Messaging, Remote Config, A/B Testing, Realtime Database, Firebase Hosting, and similar) are not HIPAA‑eligible and must not collect, process, or store PHI. This conclusion follows directly from Google’s policy that only Covered Products are in scope of the BAA. Always verify against the current list. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Eventing, compute, and APIs

When you need backend logic, select compute or integration services that are explicitly listed as Covered Products (for example, App Engine) and ensure they run in a hardened project with VPC egress control, secrets in Secret Manager, and audit logging. If a given serverless or integration service is not listed as covered at the time you deploy, do not send PHI to it. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Business Associate Agreements

Before any PHI touches Google Cloud, you must execute Google’s HIPAA BAA and limit PHI strictly to the Covered Services named there. The BAA document itself defines “Covered Services” and makes clear the agreement applies only to those services, not to every feature bearing the Firebase brand. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?utm_source=openai))

This mirrors federal guidance: HHS states that covered entities and business associates may use cloud services to store or process ePHI only if they have a HIPAA‑compliant business associate contract in place and otherwise comply with the Rules. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html?utm_source=openai))

HIPAA Compliance Requirements for Cloud Services

Access control and minimum necessary

Implement role‑based access (IAM) and least‑privilege service accounts. Segment projects and environments, and never place PHI in places visible to broad audiences (for example, metadata, labels, bucket names, image filenames). Enforce principle of minimum necessary for all workflows. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Audit controls and logging

Enable and retain Cloud Audit Logs for all Covered Products that touch PHI. Export Admin and Data Access logs to BigQuery/Cloud Storage to support investigations, compliance reporting, and retention policies. Document your log review cadence. These controls demonstrate effective audit controls for HIPAA. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Data encryption and key management

All customer content on Google Cloud is encrypted at rest by default; for stricter assurance or jurisdictional needs, evaluate CMEK for services that support it (for example, Firestore with Cloud KMS). Ensure TLS everywhere and prohibit PHI in URLs, query strings, and logs. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Data lifecycle and resilience

Define retention and deletion for PHI, enable versioning where appropriate, and verify disaster‑recovery expectations. Use Secret Manager for credentials and rotate keys. Validate backups and restores without exposing PHI to non‑covered services. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Configuration hygiene

Disable or avoid any non‑covered or pre‑GA offerings for PHI, and validate every deployed service against the current Covered Products list before promotion to production. Keep a living data‑flow diagram that proves PHI stays within covered boundaries. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

Alternatives for HIPAA-Compliant Services

If your stack does not need Firebase’s SDK layer, you can build directly on Google Cloud’s Covered Products (for example, Identity Platform + Firestore + Cloud Storage + App Engine) under a signed BAA. If you prefer another cloud, major providers also offer BAAs and HIPAA‑eligible services; evaluate them against the same control set: BAA coverage, audit controls, access control, encryption, and data‑lifecycle features. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?utm_source=openai))

Key takeaways

• Ask not “Is Firebase HIPAA compliant?” but “Do my components map to Google Cloud’s Covered Products and run under a signed BAA?”
• Limit PHI to Identity Platform, Firestore, Cloud Storage, and other officially covered services; exclude all non‑covered Firebase features from PHI flows.
• Prove compliance through configuration: access control, encryption (optionally with CMEK), comprehensive audit logs, and a documented data‑lifecycle.

FAQs

What makes a service HIPAA compliant?

Under HIPAA, no vendor holds a generic “certificate.” A service is usable with PHI when (1) your organization signs a HIPAA‑compliant BAA with the provider, (2) the specific features you use are on the provider’s Covered Services list, and (3) you implement required controls (for example, access control, audit controls, encryption, and data‑lifecycle management). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html?utm_source=openai))

Can Firebase sign a Business Associate Agreement?

You sign the HIPAA BAA with Google (Google Cloud). The BAA applies only to the provider’s Covered Services, not to every Firebase‑branded feature. Therefore, you must keep PHI strictly within those Covered Products. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?utm_source=openai))

Which Firebase services are not HIPAA eligible?

Any feature that is not on Google’s official Covered Products list is out of scope. In practice, common Firebase conveniences such as Analytics, Crashlytics, Predictions, Remote Config, A/B Testing, In‑App Messaging, Realtime Database, and Firebase Hosting do not appear on that list and must not touch PHI; always confirm against the current list before use. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))

How can I safely handle PHI using Google Cloud?

Execute the HIPAA BAA, choose only Covered Products (for example, Identity Platform for auth, Firestore for data, Cloud Storage for files), enable audit logging and retention, enforce IAM and least privilege, keep PHI out of logs and metadata, and consider CMEK where required. Google’s HIPAA guidance and Identity Platform’s HIPAA guide detail these expectations. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa))