Is Google Workspace HIPAA Compliant? BAA, Covered Apps, and Setup Steps

Google Workspace can support HIPAA compliance when you sign a Business Associate Agreement (BAA), limit work to covered services, and implement documented HIPAA compliance controls. The steps below translate policy into practical Security Configuration so you can confidently handle Protected Health Information (PHI) in day-to-day operations.

This guide walks you through the essentials: executing a BAA, using covered apps, tightening core settings, enforcing Multi-Factor Authentication, restricting external sharing, enabling Audit Logs and retention, and preparing staff to handle PHI correctly. The material is informational and not legal advice.

Sign a Business Associate Agreement

A Business Associate Agreement is required before you create, receive, maintain, or transmit PHI in Google Workspace. The BAA defines Google’s responsibilities as a business associate and your obligations as a covered entity or business associate.

How to complete the BAA

• Confirm your organization’s HIPAA role and that your Google Workspace edition is eligible for a BAA.
• Have a super administrator review and accept the HIPAA Business Associate Amendment in the Admin console’s legal/compliance area.
• Document the scope of PHI processing, identify covered workspaces, and record the acceptance date for audits.
• Communicate the BAA’s coverage limits to IT and end users: only specific Google Workspace services are in scope.
• Map your administrative, physical, and technical safeguards to HIPAA requirements and track them as ongoing controls.

Important: The BAA applies only to covered Google Workspace services. Disable, restrict, or avoid non-covered services wherever PHI could be present.

Use Covered Google Workspace Services

PHI must stay within services that are covered by Google’s HIPAA BAA. Examples of covered core services typically include Gmail, Calendar, Drive (Docs, Sheets, Slides, Forms), Chat, Meet, Sites, Keep, and Cloud Search. Coverage can vary by edition and change over time, so verify the current list in your Admin console and product terms.

What to allow and what to avoid

• Allow only covered services in organizational units where PHI is processed.
• Avoid or disable consumer/uncore services that are not covered for PHI (for example, YouTube, Google Photos, Blogger, and similar consumer offerings).
• Evaluate Google Workspace Marketplace and other third‑party apps separately; they are not covered by Google’s BAA and may require their own BAAs.
• Prefer Shared Drives for PHI to centralize ownership and apply consistent controls over access and sharing.

Configure Security Settings

Strong Security Configuration is non‑negotiable for HIPAA. Establish a baseline that protects accounts, devices, data, and communication channels end to end.

Identity and access hardening

• Apply least‑privilege admin roles; separate break‑glass accounts and monitor their use.
• Use context‑aware access to restrict PHI access to trusted networks, managed devices, and compliant OS versions.
• Set session and reauthentication timeouts; require strong passwords or passkeys and prevent password reuse.
• Disable legacy/less secure protocols (e.g., unrestricted IMAP/POP) for PHI‑handling users unless hardened and monitored.

Email and messaging protections

• Enforce TLS for Gmail with compliance rules; require secure transport for exchanges with partner domains handling PHI.
• Implement S/MIME for applicable users and partners to add message‑level encryption and signing.
• Use content compliance policies to block auto‑forwarding, strip sensitive attachments, or quarantine messages that violate rules.
• Enable spoofing protections (SPF, DKIM, DMARC) to reduce impersonation risks in PHI workflows.

Data protection and Data Loss Prevention

• Enable Data Loss Prevention for Gmail and Drive using detectors for PHI elements (e.g., SSNs, NPIs, ICD/CPT codes).
• Apply Drive labels/classifications (e.g., “PHI—Restricted”) and bind them to DLP rules that prevent external sharing, copy, print, and download.
• Consider client‑side encryption for supported apps (Drive, Docs, Sheets, Slides, Meet, Calendar, and Gmail where available) when data residency or key ownership requirements apply.
• Turn on data region settings if your compliance program calls for it and review export/use of offline or third‑party tools.

Device and application security

• Require endpoint management: screen locks, disk encryption, OS version minimums, and remote wipe for lost/stolen devices.
• Block jailbroken/rooted devices; restrict copying PHI to unmanaged devices or personal accounts.
• Control OAuth scopes; allowlist trusted apps and restrict Marketplace add‑ons that touch PHI.

Administrative guardrails

• Use organizational units and groups to scope policies precisely to PHI users and locations.
• Document all HIPAA Compliance Controls in change management; test them routinely and log evidence for audits.

Enforce Multi-Factor Authentication

Require Multi‑Factor Authentication for every account that can access PHI. Favor phishing‑resistant methods and enforce them with policy—not user choice.

• Mandate 2‑Step Verification with FIDO2 security keys or passkeys for admins and PHI users; phase out SMS/voice codes.
• Use conditional access to require step‑up MFA for sensitive actions and from unfamiliar networks/devices.
• Pre‑enroll backup methods for break‑glass scenarios and continuously monitor MFA enrollment status.

Restrict External File Sharing

External sharing controls are critical to prevent unauthorized disclosure of PHI. Default to the minimum necessary access and open up only by exception.

• Set link sharing defaults to “Restricted”; disable “Public on the web” and “Anyone with the link.”
• Allowlist partner domains that have signed agreements; require sign‑in for all external viewers/commenters.
• Use Drive trust rules and DLP to block external shares that contain PHI or specific identifiers.
• Prefer Shared Drives for PHI and disable external sharing on those drives unless explicitly approved.
• In Gmail, enable external recipient warnings, Access Checker, and block automatic forwarding to external addresses.
• In Chat and Meet, limit external participants where PHI is discussed and align history/recording settings with your retention policy.

Enable Audit Logging and Retention Policies

HIPAA requires you to know who accessed PHI, when, and what they did. Turn on comprehensive Audit Logs and enforce retention for eDiscovery and incident response.

Logging and monitoring

• Review Admin, Login, Drive, Gmail, Chat, Meet, and Calendar audit logs regularly; create saved views for PHI access patterns.
• Stream logs to your SIEM or BigQuery for correlation, anomaly detection, and long‑term analytics.
• Use the alert center to surface DLP violations, suspicious sharing, unusual login behavior, and admin privilege changes.

Retention and eDiscovery

• Use Vault to set default and custom retention for Gmail, Drive (including Shared Drives), and Chat to meet policy and legal needs.
• Apply legal holds for investigations and litigation; verify searches and exports during periodic eDiscovery drills.
• Document retention schedules and reconcile them with business and regulatory requirements before enabling deletions.

Provide Staff Training on PHI Handling

Technology alone will not keep you compliant. Train and retrain staff so everyday behaviors align with HIPAA and your Security Configuration.

• Define PHI/ePHI clearly and teach the “minimum necessary” standard for access and sharing.
• Require double‑checks on recipients and permissions before sending or linking to PHI; avoid PHI in email subject lines and chat room names.
• Standardize use of labels/classifications, approved templates, and encrypted channels for PHI workflows.
• Ban saving PHI to personal devices or accounts; report lost devices or suspected disclosures immediately.
• Educate users to spot phishing and social engineering targeting healthcare data.
• Review rules for third‑party apps, exports, screenshots, and downloads involving PHI.

FAQs

What Google Workspace services are covered under the HIPAA BAA?

Coverage focuses on core Google Workspace services. Common examples include Gmail, Calendar, Drive (Docs, Sheets, Slides, Forms), Chat, Meet, Sites, Keep, and Cloud Search. Because coverage can differ by edition and change over time, confirm the current list in your Admin console and product terms before storing PHI.

How do I sign a BAA with Google Workspace?

A super administrator reviews and accepts the HIPAA Business Associate Amendment in the Admin console’s legal/compliance section. Verify your organization’s HIPAA role, ensure your edition is eligible, accept the terms, and document the acceptance date and scope. Communicate the coverage limits to IT and users so PHI stays within covered services.

What security settings are required to maintain HIPAA compliance in Google Workspace?

At minimum: enforce Multi‑Factor Authentication; apply least‑privilege roles; use context‑aware access; require TLS and deploy S/MIME where needed; enable Data Loss Prevention for Gmail and Drive; classify PHI with labels tied to DLP; restrict external sharing by default; manage devices with endpoint controls; monitor Audit Logs and alerts; and set Vault retention and legal holds aligned to policy.

Is Google Workspace suitable for storing and sharing PHI?

Yes—provided you have an executed BAA, restrict PHI to covered services, and operate documented HIPAA Compliance Controls. You remain responsible for configuring and maintaining safeguards such as MFA, DLP, secure sharing, device management, Audit Logs, and retention to protect PHI and demonstrate compliance.

Bottom line: Google Workspace can support HIPAA obligations when you execute a BAA, keep PHI in covered services, and run a rigorous, well‑documented Security Configuration that combines MFA, DLP, sharing controls, logging, retention, and continuous staff training.