Is Google Cloud HIPAA Compliant? A Practical Guide to the BAA, Covered Services, and Configuration

Understanding Google Cloud HIPAA Compliance

Short answer: Google Cloud can support HIPAA-aligned workloads when you sign Google’s Business Associate Addendum (BAA), limit Protected Health Information (PHI) to Covered Services, and implement required compliance controls. HIPAA itself isn’t a certification you obtain from a vendor; it’s a shared responsibility between you and Google Cloud. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa-compliance?skip_cache=true))

Under the BAA, Google commits to safeguard ePHI on Covered Services and to provide breach and security incident notifications, while you remain responsible for configuring services, managing access, and operating your environment in line with the HIPAA Privacy, Security, and Breach Notification Rules. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?hl=fr))

Exploring Covered Google Cloud Services

“Covered Services” are the products explicitly listed by Google as in scope for HIPAA under the BAA; the list is maintained by Google and updated over time. Always verify service coverage (and any exclusions) before introducing PHI, and avoid using pre‑GA features with PHI. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa-compliance?skip_cache=true))

Coverage varies by product family. For example, Google SecOps (Chronicle) has a dedicated HIPAA page that spells out in‑scope capabilities and excluded features, while Google Cloud’s healthcare‑specific services (like the Cloud Healthcare API) provide PHI‑oriented capabilities such as de‑identification and customer‑managed encryption keys (CMEK). ([cloud.google.com](https://cloud.google.com/terms/secops/hipaacoveredservices))

If you also use Google Workspace or Cloud Identity, review their separate HIPAA “Included Functionality” list; only those apps and capabilities may handle PHI under the Workspace/Cloud Identity BAA. As of May 14, 2026, the Included Functionality list spans Gmail, Drive (Docs, Sheets, Slides, Forms, and Vids), Meet, Chat, Calendar, Vault (if applicable), Voice (managed users), Cloud Identity Management, Gemini in Workspace, and more. ([workspace.google.com](https://workspace.google.com/terms/2015/1/hipaa_functionality/))

Overview of the Business Associate Addendum

Google’s BAA is an addendum to your services agreement that applies only to PHI processed by Covered Services. It defines key terms (PHI, Covered Services), Google’s obligations (safeguards, incident/breach notifications, subcontractor controls, return/destruction), and your obligations (use service controls, apply appropriate safeguards, and avoid impermissible requests). It also references Google’s HIPAA Implementation Guide for configuration guidance. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?hl=fr))

The BAA makes clear that it does not cover services outside the Covered Services list or PHI handled via non‑covered products, third‑party apps, or pre‑GA features. You must ensure PHI stays within the in‑scope boundary your BAA establishes. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?hl=fr))

Customer Responsibilities for Compliance

HIPAA compliance on Google Cloud follows a shared model. Your core responsibilities include: signing the BAA, restricting PHI to Covered Services, configuring security controls, managing identities and access, and maintaining operational processes (risk analysis, workforce training, incident response, vendor oversight). ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/resources/hipaa_compliance_guide_gcp.pdf))

Operationally, you should enable and regularly review audit logs, export them for retention and analysis, and avoid placing PHI in resource names or other metadata that could surface in logs. These practices are called out in Google’s HIPAA guidance. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/resources/hipaa_compliance_guide_gcp.pdf))

Configuring Google Cloud for HIPAA

1) Establish governance and boundaries

• Create a clear org/folder/project hierarchy for HIPAA‑aligned workloads; isolate projects that process PHI and apply organization policies to prevent the use of non‑covered or pre‑GA services in those projects. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa?hl=ja&utm_source=openai))
• Consider Assured Workloads control packages such as the US Data Boundary for Healthcare & Life Sciences to constrain data movement and support residency/support restrictions. ([docs.cloud.google.com](https://docs.cloud.google.com/assured-workloads/docs/control-packages/us-data-boundary-healthcare-life-sciences?utm_source=openai))

2) Identity, access, and endpoints

• Use Cloud Identity for centralized identity, enforce MFA, and adopt least‑privilege IAM. Lock down service accounts and keys; prefer short‑lived, keyless access patterns. ([cloud.google.com](https://cloud.google.com/security/compliance/workspace_cloud_identity_hipaa_implementation_guide_workspace_whitepaper))
• Segment admin duties; monitor admin activity using Admin Activity and Data Access logs, and review on a schedule. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/resources/hipaa_compliance_guide_gcp.pdf))

3) Network and data perimeter

• Prefer private IP connectivity, restrict egress, and implement layered controls to reduce data exfiltration paths. Apply consistent firewall rules and consider Private Service Connect for service access patterns that avoid exposure. (General best practices)

4) Encryption and key management

• All customer content is encrypted at rest by default; evaluate whether your policies require CMEK or External Key Management. For the Cloud Healthcare API, you can enable CMEK on datasets that store FHIR, HL7v2, and DICOM data. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/resources/hipaa_compliance_guide_gcp.pdf))

5) Logging, monitoring, and evidence

• Enable Cloud Audit Logs; export to Cloud Storage for long‑term retention and to BigQuery for analytics and investigations. Protect log sinks with appropriate IAM and avoid PHI in logs. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/resources/hipaa_compliance_guide_gcp.pdf))

6) Data discovery and minimization

• Use Sensitive Data Protection (Cloud DLP) to discover, classify, and, where appropriate, de‑identify PHI across BigQuery and storage systems. For clinical datasets, use the Cloud Healthcare API’s de‑identification features. ([docs.cloud.google.com](https://docs.cloud.google.com/sensitive-data-protection/docs?utm_source=openai))

7) Blueprinted deployments

• Accelerate secure setup with Google’s Healthcare Data Protection Toolkit (“Data Protection Toolkit”) and its HIPAA‑aligned solution guide, which package reference architectures and Terraform/automation for controls like IAM, logging, and labeling. ([services.google.com](https://services.google.com/fh/files/misc/hipaa_technical_solution_guide.pdf))

These steps give you a defensible baseline. From there, layer in workload‑specific hardening (for example, GKE with Workload Identity and private clusters, or Cloud Run with VPC connectors) and document procedures for incident response and breach notification.

Utilizing Google Workspace and Cloud Identity

If your workforce handles PHI in email, docs, or meetings, sign the separate Workspace/Cloud Identity BAA and restrict PHI to “HIPAA Included Functionality.” As of May 14, 2026, Included Functionality covers Gmail, Drive (Docs, Sheets, Slides, Forms, Vids), Calendar, Chat, Meet, Groups, Sites, Keep, Tasks, Vault (if applicable), Voice (managed users), Cloud Identity Management, and Gemini in Workspace (among others). ([workspace.google.com](https://workspace.google.com/terms/2015/1/hipaa_baa-20210825/))

Follow Google’s Workspace and Cloud Identity HIPAA Implementation Guide: separate users who handle PHI into dedicated organizational units, disable non‑covered and third‑party services for those users, create DLP policies for Gmail and Drive, monitor admin activity, and avoid PHI in document titles or sharing settings. Do not use pre‑GA features with PHI. ([cloud.google.com](https://cloud.google.com/security/compliance/workspace_cloud_identity_hipaa_implementation_guide_workspace_whitepaper))

Compliance Resources and Implementation Guides

• Google Cloud HIPAA page: scope, responsibilities, and links to product‑specific coverage and solution guides. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa-compliance?skip_cache=true))
• Google Cloud HIPAA Compliance Guide (GCP): shared responsibility model, logging guidance, and covered‑products notes. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa/resources/hipaa_compliance_guide_gcp.pdf))
• Workspace and Cloud Identity HIPAA Implementation Guide: Included Functionality and admin configurations. ([cloud.google.com](https://cloud.google.com/security/compliance/workspace_cloud_identity_hipaa_implementation_guide_workspace_whitepaper))
• Healthcare Data Protection Toolkit solution guide: automates a HIPAA‑aligned baseline with deployable templates. ([services.google.com](https://services.google.com/fh/files/misc/hipaa_technical_solution_guide.pdf))
• Assured Workloads US Data Boundary for Healthcare & Life Sciences: residency and support controls for regulated workloads. ([docs.cloud.google.com](https://docs.cloud.google.com/assured-workloads/docs/control-packages/us-data-boundary-healthcare-life-sciences?utm_source=openai))

Bottom line: with a signed BAA, disciplined use of Covered Services, and well‑implemented compliance controls, you can confidently run HIPAA‑aligned workloads on Google Cloud. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa-compliance?skip_cache=true))

FAQs.

What is included in Google's Business Associate Addendum?

The BAA supplements your services agreement and applies only to Covered Services handling PHI. It defines Google’s security, incident/breach notification, and subcontractor duties; requires you to use service controls and appropriate safeguards; and references the HIPAA Implementation Guide for configuration. It does not apply to non‑covered products or PHI handled outside Covered Services. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?hl=fr))

How do I configure Google Cloud services for HIPAA compliance?

Start by signing the BAA, scoping PHI to Covered Services, and disabling pre‑GA or non‑covered offerings. Implement least‑privilege IAM, enable and export audit logs, use CMEK where policy demands, and apply data discovery/de‑identification (Sensitive Data Protection or Cloud Healthcare API). You can bootstrap with Google’s Healthcare Data Protection Toolkit and related HIPAA Implementation Guides. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa?hl=ja&utm_source=openai))

Which Google Cloud services are covered under the BAA?

Coverage is defined by Google and published on its HIPAA page; only those products explicitly designated as Covered Services are in scope. Some product families (for example, Google SecOps/Chronicle) have their own HIPAA pages detailing in‑scope and excluded features. Always consult the current list before storing or processing PHI. ([cloud.google.com](https://cloud.google.com/security/compliance/hipaa-compliance?skip_cache=true))

What are customer responsibilities under HIPAA when using Google Cloud?

You must execute the BAA, ensure PHI stays within Covered Services, configure and operate controls (access, logging, encryption, monitoring), and maintain policies, procedures, and training that satisfy HIPAA’s Privacy, Security, and Breach Notification Rules. Google provides secure infrastructure and detailed guidance, but compliance remains a shared responsibility. ([cloud.google.com](https://cloud.google.com/terms/hipaa-baa?hl=fr))