Is Google Cloud HIPAA Compliant? BAA, Eligible Services, and Best Practices

Google Cloud can support HIPAA compliance when you execute a Business Associate Agreement (BAA), use only HIPAA-eligible services, and configure them correctly. Compliance is achieved through a Shared Responsibility Model: Google secures the underlying platform, while you protect your workloads, access, and data.

This guide explains which services are considered HIPAA-eligible, what the BAA covers, and the technical and operational steps you should take to safeguard Protected Health Information (PHI) on Google Cloud.

Google Cloud HIPAA-Compliant Services

“HIPAA-compliant” on Google Cloud means the service is designated as HIPAA-eligible and is explicitly listed as a Covered Service in your BAA. You must also use only generally available (GA) features of those services; preview, beta, or experimental features are out of scope for PHI.

Common HIPAA-eligible capabilities include general-purpose compute, storage, databases, analytics, networking, identity and access, logging/monitoring, and the Cloud Healthcare API for FHIR, HL7v2, and DICOM workloads. Always verify eligibility and feature scope against the Covered Services schedule in your BAA before processing PHI.

Business Associate Agreement Requirements

The Business Associate Agreement (BAA) is the contract under which Google acts as a business associate for your PHI. It defines permitted uses and disclosures, security safeguards, breach notification commitments, and the set of Covered Services you may use with PHI.

Key obligations you should expect

• Use only services and GA features listed as Covered Services in the BAA.
• Implement appropriate administrative, physical, and technical safeguards for PHI, including Encryption at Rest and in transit.
• Apply least-privilege access controls and maintain activity records through Cloud Audit Logs with Audit Log Export for retention and analysis.
• Monitor, detect, and report security incidents consistent with HIPAA requirements and BAA timelines.
• Ensure subcontractors with PHI access are bound by equivalent obligations.
• Enable secure deletion and return of PHI upon termination or when no longer needed.

How to execute the BAA

BAAs are requested and executed for your Google Cloud organization/legal entity. You typically review the standard BAA, confirm your Covered Services, assign a legal contact, and finalize acceptance through your account team or admin console. Do not ingest PHI until the BAA is fully executed and your architecture aligns with its scope.

Customer Responsibilities for Compliance

Under the Shared Responsibility Model, you control data, identities, network exposure, and workload security. Google manages the underlying facilities, hardware, and many platform-level controls. Your HIPAA program must bridge that divide.

• Perform a risk analysis and maintain HIPAA policies, workforce training, and sanctions.
• Classify data and apply the minimum necessary standard to all PHI processing.
• Adopt IAM Best Practices: least privilege, role scoping, conditional policies, and strong authentication.
• Encrypt data in transit and at rest, manage keys, and track access to PHI.
• Enable logging, monitoring, and Audit Log Export; test alerting and incident response.
• Define backup, disaster recovery, business continuity, and change management controls.
• Establish vendor/BAA management for integrators and downstream processors.

Covered Services Under BAA

The BAA contains the authoritative list of Covered Services and any service-specific conditions, feature scopes, or regional limitations. If a service or feature is not on that list, do not use it with PHI.

Commonly used covered capabilities (verify against your BAA)

• Compute and orchestration: virtual machines and managed Kubernetes for processing PHI.
• Storage: object and file storage with uniform access control, Object Versioning, and retention policies.
• Databases and analytics: managed relational stores and analytics engines with fine-grained access control.
• Messaging and integration: managed pub/sub messaging for decoupled PHI pipelines.
• Security and secrets: Key Management for CMEK/EKM, and secret storage for credentials and tokens.
• Operations: logging, monitoring, and alerting to evidence compliance and detect anomalies.
• Healthcare data services: APIs purpose-built for FHIR, HL7v2, and DICOM workflows.

Verifying coverage

Confirm coverage by reviewing your BAA’s Covered Services schedule and any referenced documentation. Use only GA features of those services, and document your verification as part of your HIPAA risk management records.

Security and Data Protection Measures

Encryption and key management

Enable Encryption at Rest (default for most services) and TLS for data in transit. For stronger control, use Customer-Managed Encryption Keys (CMEK) via Cloud KMS or External Key Manager (EKM), and implement rotation, separation of duties, and key access approvals.

Access control and identity

Apply IAM Best Practices: least-privilege roles, group-based access, conditional policies, service accounts without long-lived keys, multi-factor authentication, and break-glass workflows with tight monitoring.

Network security

Minimize public exposure with private networking, egress controls, and segmented VPCs. Use service perimeters to restrict data movement, WAF/DDoS protections at the edge, and firewall logging to track attempted access to PHI resources.

Logging, monitoring, and auditing

Turn on Admin, Data Access, and System Event audit logs for Covered Services. Configure Audit Log Export to a dedicated project and storage/analytics destination for retention, investigation, and evidence generation.

Data governance and lifecycle

Use classification and DLP scanning to identify PHI. Apply Object Versioning, retention policies, and legal holds where required. Enforce uniform bucket-level access and review access paths regularly.

Operational hardening

Harden workloads with patched images, vulnerability scanning, binary provenance, and deployment gates. Protect secrets centrally, avoid embedding credentials, and validate all third-party components before use with PHI.

Technical Best Practices for HIPAA

• Design for least privilege from the start; automate IAM policy testing and continuous drift detection.
• Isolate environments by project and folder; apply service perimeters around PHI projects.
• Use CMEK for critical datasets and document key ownership, rotation cadence, and access approvals.
• Implement comprehensive logging with Audit Log Export; analyze access patterns for the minimum necessary standard.
• Apply Object Versioning and retention lock on PHI buckets; validate restore and delete workflows.
• Keep PHI processing on private endpoints; control egress via proxies, NAT, and policy-based routing.
• Test backups, disaster recovery, and runbooks; perform tabletop exercises for breach scenarios.
• Continuously scan images and dependencies; enforce signed artifacts and verified builds.

Compliance Certifications and Audits

Google Cloud undergoes independent third‑party audits and maintains certifications such as ISO/IEC 27001, ISO/IEC 27017/27018, and SOC 2/3. Some services may also carry HITRUST CSF certifications. These reports provide assurance about platform controls relevant to HIPAA.

Using audits as evidence

Map Google’s audit reports and attestations to your control requirements, and pair them with your own configurations, logs, and procedures. Remember: a BAA and platform attestations do not themselves make your deployment compliant—your controls and operations complete the picture.

Conclusion

Google Cloud can be used for HIPAA workloads when you have a signed BAA, limit PHI to Covered Services, and implement strong technical and administrative safeguards. Anchor your program in the Shared Responsibility Model, enforce IAM Best Practices, Encryption at Rest, and robust logging, and continuously validate your posture.

FAQs

What services does Google Cloud include under its HIPAA compliance?

Only the services designated as HIPAA-eligible and listed as Covered Services in your Business Associate Agreement are in scope for PHI. Typical categories include compute, storage with Object Versioning and retention controls, managed databases, analytics, messaging, logging/monitoring, security/key management, and the Cloud Healthcare API. Always verify eligibility against your executed BAA before use.

How do I obtain a BAA with Google Cloud?

Request and execute a Business Associate Agreement for your Google Cloud organization through your admin console or account team. Confirm the legal entity, review the Covered Services schedule, assign contacts, and complete acceptance. Do not process PHI until the BAA is fully executed and your deployment aligns with its scope.

What are customer responsibilities under HIPAA on Google Cloud?

You must implement administrative, physical, and technical safeguards under the Shared Responsibility Model. This includes risk analysis, least‑privilege access (IAM Best Practices), Encryption at Rest and in transit, continuous monitoring with Audit Log Export, secure backups and DR, vendor management, and documented incident response and breach notification procedures.

Can pre-GA Google Cloud offerings be used with PHI?

No. Pre‑GA, beta, preview, or experimental features are not covered by the BAA and should not be used with Protected Health Information. Use only GA features of services explicitly listed as Covered Services in your BAA.