Which Google Services Are HIPAA-Compliant? Workspace, Cloud, and BAA Explained

Google Workspace HIPAA-Compliant Services

What “HIPAA-compliant” means for Workspace

For Google Workspace, HIPAA compliance hinges on two things: a signed Business Associate Addendum (BAA) with Google and proper compliance configuration aligned to the HIPAA Security Rule. Only services specifically designated as covered under your BAA may handle Protected Health Information (PHI).

Covered Core Services (examples, verify against your BAA)

Commonly covered “Core Services” include Gmail, Calendar, Drive (with Docs, Sheets, Slides, and Forms), Chat, Meet, Sites, and Keep. Coverage can vary by agreement and change over time, so you should confirm the current covered list in your Admin console and documentation before storing PHI.

Configuration matters as much as coverage

Even for covered services, you must enforce encryption standards, access control policies, data loss prevention (DLP), and retention settings. Features like Google Vault, context-aware access, and endpoint management help you align Workspace behavior to your organization’s compliance requirements and audit trails.

Google Cloud Platform HIPAA Eligibility

HIPAA-eligible services versus non-eligible services

On Google Cloud Platform (GCP), PHI is permitted only in HIPAA-eligible products under a signed BAA. Typical eligible categories include select compute, storage, databases, analytics, and networking services. Because eligibility evolves, always validate a service’s status before use and document that validation in your risk analysis.

Architecting for the HIPAA Security Rule

Design cloud workloads using least privilege IAM, private networking, and comprehensive audit trails. Use encryption at rest and in transit (for example, AES-256 at rest and TLS 1.2+ in transit), consider customer-managed keys (CMEK) via Cloud KMS, and apply VPC Service Controls, Cloud DLP, and Security Command Center to reduce data exposure risk.

Project and data scoping

Segment PHI into dedicated “covered” projects and folders, label resources, and apply service perimeters. Keep non-PHI workloads separate to simplify policy enforcement, billing review, and monitoring. Maintain an authoritative registry of PHI locations to streamline audits and incident response.

Business Associate Addendum Signing Process

Prerequisites

• Confirm your legal entity, domain ownership, and administrator roles.
• Identify a compliance officer and define PHI use cases across Workspace and Cloud.
• Complete a preliminary risk analysis and draft access control policies.

Workspace: how to accept the BAA

1. Sign in as a super admin to the Admin console.
2. Open the legal or compliance settings and review the Google Workspace HIPAA BAA.
3. Acknowledge responsibilities and accept the addendum for your organization.
4. Document acceptance, scope (OUs/groups), and the effective date in your compliance records.

Google Cloud: how to accept the BAA

1. Sign in to the Cloud console with organization-level permissions.
2. Review and accept the HIPAA BAA for the organization and applicable projects.
3. Tag “covered” projects and restrict PHI to HIPAA-eligible services only.
4. Store evidence of acceptance, scope, and project mapping in your audit file.

After signing: operationalize compliance

A BAA enables PHI processing but does not make you compliant by itself. Finalize compliance configuration, train users, and schedule periodic audits to verify that safeguards remain effective and documented.

Configuring Security Settings for HIPAA

Workspace quick-start configuration

• Identity and access: enforce 2-Step Verification, strong password policies, and SSO (if used).
• Gmail security: enable secure transport (MTA-STS/TLS), consider S/MIME, and create DLP/content compliance rules for PHI.
• Drive and sharing: restrict external sharing, allow only trusted domains, and require labels/classification on sensitive files.
• Devices: enable endpoint management, require screen locks and disk encryption, and enable remote wipe.
• Retention and eDiscovery: configure Vault retention and legal hold for PHI-related data.

Cloud quick-start configuration

• Encryption standards: ensure encryption at rest and in transit; consider CMEK or HSM-backed keys for heightened control.
• Network controls: use private service access, firewall least privilege, Cloud NAT, and VPC Service Controls.
• IAM: apply role-based access, deny policies where appropriate, and service account key restrictions.
• Data protection: scan and classify with Cloud DLP; restrict storage locations as required by policy.
• Resilience: configure backups, test restores, and document recovery time objectives.

Compliance configuration governance

Treat each control as a policy with an owner, review cadence, and measurable outcomes. Track exceptions, approve time-bound access, and maintain an audit trail for every change affecting PHI.

Managing Non-BAA Google Services

Identify and block non-covered services

Services not covered by your BAA must not store or process PHI. Common examples include consumer Google accounts and Google Photos. Disable or restrict such services via Admin controls and context-aware access to prevent accidental PHI exposure.

Exfiltration safeguards

• Enforce DLP to block uploads of PHI to non-BAA destinations.
• Limit third-party Marketplace apps to vetted vendors with signed BAAs.
• Educate users with clear, role-specific guidance and periodic refreshers.

Implementing PHI Access Controls

Role-based and least privilege

Define access control policies by role and task. Grant the minimum necessary permissions, apply group-based assignments, and require approvals for elevated or break-glass access with automatic time-based revocation.

Segmentation and context

Separate PHI by department and sensitivity, and use organizational units, labels, and resource hierarchy for scoping. Apply context-aware access (device posture, network, location) to reduce risk from unmanaged devices or unusual access patterns.

Operational controls

• Rotate credentials and keys; avoid long-lived service account keys.
• Log every access to PHI and review high-risk roles weekly.
• Document data flows and approve any cross-border transfer per policy.

Auditing and Monitoring Google Services

Workspace auditing

Enable Admin, Drive, and Gmail audit logs; route them to a centralized repository for retention and analysis. Use the Alert Center and the Security Investigation Tool to triage anomalies and produce audit trails for investigations.

Cloud auditing

Turn on Cloud Audit Logs (Admin Activity, Data Access, System Events) for covered projects. Forward logs to Cloud Logging and your SIEM, set alerts for sensitive operations, and routinely review Access Approval or transparency reports where available.

Continuous compliance

Run scheduled access reviews, configuration drift checks, and tabletop exercises for incident response. Track corrective actions to closure and keep evidence organized for audits and regulators.

FAQs

What Google services require a BAA for HIPAA compliance?

Any Google service that will create, receive, maintain, or transmit PHI requires a signed BAA and must be specifically designated as covered. In Workspace, that typically means only the Core Services listed in your agreement. In GCP, PHI must be restricted to HIPAA-eligible products within covered projects.

How do I sign a BAA with Google?

A super admin reviews and accepts the Business Associate Addendum (BAA) in the Admin console for Workspace and at the organization level in the Cloud console for GCP. Document the effective date, scope (OUs, groups, projects), and retain copies in your compliance records.

Can Google Photos be used for storing PHI?

No. Google Photos is not covered by the BAA and must not be used to store or share PHI. Store PHI only in services explicitly covered by your BAA and configured for compliance.

What security measures are needed for HIPAA-compliant Google Workspace?

Enforce strong identity protections (2SV/SSO), apply DLP for email and files, restrict external sharing, require device encryption and management, enable secure transport and (optionally) S/MIME, and configure retention with Vault. Maintain audit trails and perform regular access and configuration reviews to align with the HIPAA Security Rule.