Is Google Workspace HIPAA Compliant? BAA, Covered Services, and Configuration Guide

Practical guidance for healthcare teams and business associates

Is Google Workspace HIPAA Compliant? BAA, Covered Services, and Configuration Guide

Google Workspace can be used in a HIPAA-compliant way on all paid plans, but signing the BAA and choosing the right plan tier are two different things. Every paid Google Workspace plan is eligible for a Business Associate Agreement at no extra cost, but the compliance features you actually need - DLP, Vault, endpoint management, context-aware access - are only available on higher tiers or as paid add-ons.

Healthcare organizations using Gmail, Google Drive, Google Meet, or Google Chat for anything involving PHI need to understand which services are covered by the BAA, which are not, and how to configure the platform so that compliance is built into daily operations rather than bolted on after the fact.

Healthcare administrator reviewing Google Workspace HIPAA compliance settings and BAA configuration

Google Workspace HIPAA Setup: Plans, BAA, and Security

Does Google Sign a BAA for Workspace?

Yes. Google offers a Business Associate Agreement (technically called a Business Associate Amendment) for all paid Google Workspace plans. The BAA is free and can be accepted directly in the Google Admin Console - no phone calls, no paper contracts, no waiting for approval.

To sign the BAA: log in to the Admin Console (admin.google.com) as a Super Admin, navigate to Account, then Account Settings, then Legal and Compliance. Find the HIPAA Business Associate Amendment and accept it. The acceptance is immediate and legally binding.

For audit documentation, take a screenshot of the Admin Console showing the accepted BAA status. Keep this in your business associate management records alongside your other vendor BAAs.

Free personal Google accounts (Gmail, personal Drive) are not eligible for a BAA and cannot be used with PHI under any circumstances.

Which Google Workspace Plans Include HIPAA Coverage?

All paid Google Workspace plans are eligible for the BAA, but not all plans include the compliance tools healthcare organizations need:

PlanBAA Available?Key Compliance Features
Google Workspace Business Starter ($7/user/mo)YesBasic admin controls, TLS encryption, MFA
Google Workspace Business Standard ($14/user/mo)YesBasic admin controls, MFA, larger storage
Google Workspace Business Plus ($22/user/mo)YesGoogle Vault, advanced endpoint management, enhanced admin controls
Google Workspace Enterprise (custom pricing)YesAll Business Plus + DLP, context-aware access, client-side encryption, advanced audit

For healthcare organizations, Business Plus is the practical minimum. It is the first tier that includes Google Vault (retention and eDiscovery) and advanced endpoint management without paid add-ons. Business Starter and Standard can sign the BAA, but they lack Vault and advanced device controls - you would need to purchase Vault separately ($6/user/mo) and accept limited endpoint management.

If your organization needs DLP, context-aware access policies, or client-side encryption, you need the Enterprise tier. DLP is Enterprise-only for Gmail, Drive, and Chat. There is no way to get native DLP on a Business plan.

Which Google Services Are Covered by the BAA?

Not every Google product is covered. The BAA covers a specific list of services, and anything outside that list should not be used with PHI. As of the most recent update to Google's HIPAA Included Functionality page:

Covered services:

  • Gmail
  • Google Drive (including Docs, Sheets, Slides)
  • Google Meet
  • Google Chat
  • Google Calendar
  • Google Forms
  • Google Sites
  • Google Keep
  • Google Tasks
  • Google Groups
  • Google Vault (where included by plan)
  • Google Voice (managed users only)
  • Google Vids
  • Cloud Identity Management
  • AppSheet
  • Apps Script
  • Gemini in Workspace and the Gemini app (see AI section below)

NOT covered by the BAA:

  • YouTube
  • Google Maps
  • Google Photos
  • Google Ads
  • Google Analytics
  • Google Contacts
  • Google My Business
  • Third-party Marketplace add-ons and browser extensions
  • Gemini in Chrome
  • Any "Additional Google Services" not on the covered list

Critical admin step: Disable access to non-covered services for any users handling PHI. Go to the Admin Console, then Apps, then Additional Google Services, and turn off services that are not BAA-covered for the organizational units that handle PHI.

Google Workspace Security and Encryption

Encryption in transit: All data moving between users and Google's servers is encrypted with TLS by default. For Gmail, TLS encrypts email between mail servers - but only if the recipient's mail server also supports TLS. If it does not, the message can fall back to unencrypted transmission. Admins should configure email routing to require TLS and hold or bounce messages that cannot be sent securely.

Encryption at rest: All data stored in Google Workspace (Drive, Gmail, Meet recordings, etc.) is encrypted at rest using AES-256 encryption. This is automatic and applies to all covered services.

Client-side encryption (Enterprise only): On the Enterprise tier, files can be encrypted in the user's browser before upload to Google's servers. Google cannot access the plaintext content. This uses an external Key Management Service (Fortanix, Futurex, FlowCrypt, or Thales). Client-side encryption is supported for Drive, Gmail, Calendar, and Meet. For organizations that need the highest level of data control, this is a significant differentiator from other platforms.

Certifications: Google holds SOC 2 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, HITRUST CSF, and FedRAMP High authorization. This is one of the broadest certification portfolios of any cloud provider.

How to Configure Google Workspace for HIPAA

1. Accept the BAA. Admin Console, Account, Account Settings, Legal and Compliance, accept the HIPAA Business Associate Amendment. This must be done by a Super Admin.

2. Enforce MFA for all users. Under the 2026 HIPAA Security Rule updates, MFA is mandatory. Go to Security, then Authentication, then 2-Step Verification. Enforce it for all users, not just admins. Set it to "enforced" with no grace period for new users.

3. Disable non-covered services. Go to Apps, then Additional Google Services. Turn off YouTube, Google Maps, Google Photos, and any other service not on the BAA-covered list for organizational units that handle PHI.

4. Configure email TLS requirements. In Gmail settings, set up a compliance rule that requires TLS for outbound email. This prevents PHI from being sent unencrypted to external recipients whose mail servers do not support TLS.

5. Set up Google Vault retention (Business Plus+). Create retention rules that keep Gmail, Drive, Chat, and Meet data for at least six years (the HIPAA record retention requirement). Apply legal holds when necessary for investigations or litigation.

6. Enable DLP policies (Enterprise only). If you are on Enterprise, create DLP rules in the Admin Console that detect PHI patterns in Gmail, Drive, and Chat. Configure rules to block external sharing of files containing PHI and alert compliance officers when violations are detected.

7. Manage sharing settings. In Drive settings, restrict external sharing to specific domains or disable it entirely for organizational units that handle PHI. Turn off "anyone with the link" sharing - this is the Google Drive equivalent of leaving the front door open.

8. Configure endpoint management. On Business Plus and Enterprise, enable advanced endpoint management. Require device encryption, screen lock, and minimum OS versions. Configure automatic device wipe for lost or stolen devices.

9. Train your staff. Staff need to know which Google services can and cannot be used with PHI, how to share files securely, when to use Google Meet vs. phone calls, and what constitutes PHI in the context of email and chat. The most common Google Workspace HIPAA violations are behavioral - sharing a Drive file containing PHI with "anyone with the link," emailing a patient's name and diagnosis to an external provider without checking TLS, or discussing patient information in a Google Chat room that includes unauthorized members.

Google Gemini AI and HIPAA Compliance

Google has added Gemini in Workspace and the standalone Gemini app to the list of HIPAA-covered services. This means that on paid Workspace plans with the BAA signed, Gemini features embedded in Gmail, Docs, Sheets, Slides, Meet, and Drive are covered.

However, there are important distinctions:

Covered: Gemini in Workspace (the AI features within Google apps), the Gemini app (standalone), and the Gemini Mac app.

NOT covered: Consumer Gemini at gemini.google.com (personal Google accounts) and Gemini in Chrome. Even on managed Workspace devices, if a staff member accesses consumer Gemini through a personal Google account, that interaction is not covered by the BAA.

Vault support: As of June 2026, Google Vault supports retention rules and litigation holds for Gemini app data, extending compliance coverage to AI-generated content.

The practical risk for healthcare organizations is not the technology - it is staff using personal Google accounts to access consumer Gemini on work devices. Most reported "Gemini HIPAA incidents" involve this scenario, not the Workspace-integrated version. Ensure users only access Gemini through their managed Workspace accounts.

Common Google Workspace HIPAA Mistakes

"Anyone with the link" sharing. Google Drive makes it easy to share files by generating a link. If a file containing PHI is shared with "anyone with the link," it is effectively public. Any person who obtains the link - through a forwarded email, a browser history, or a search engine - can access the file. Restrict sharing to specific users or groups within your organization.

Personal Gmail for work communication. If a provider uses their personal Gmail account to email a patient or discuss a case with a colleague, that communication is outside the BAA. Personal Gmail accounts cannot be made HIPAA-compliant. Enforce that all work communication happens through the managed Workspace domain.

Unmanaged third-party apps. Google Workspace Marketplace has thousands of add-ons that can access Gmail, Drive, and Calendar data. Each add-on that touches PHI is a potential business associate. Review installed third-party apps in the Admin Console, remove unnecessary ones, and block users from installing unapproved apps.

Using non-covered services with PHI. YouTube, Google Maps, Google Photos, and other non-covered services are accessible from within the Workspace environment. Staff may not realize that uploading a training video containing patient scenarios to YouTube, or using Google Maps to plan patient home visits with identifying information, creates HIPAA exposure. Disable access to non-covered services for PHI-handling staff.

Skipping Vault on lower plans. Without Google Vault (or an equivalent third-party solution), there is no way to enforce retention policies or perform eDiscovery on Workspace data. If you are on Business Starter or Standard, either upgrade to Business Plus or add Vault ($6/user/mo). HIPAA requires six-year record retention - you cannot meet this without a retention management tool.

How Does Google Workspace Compare to Other Platforms?

PlatformBAA Available?Best ForKey Limitation
Google WorkspaceYes (all paid plans)Organizations on Google ecosystem; need email, drive, video, chatDLP is Enterprise-only; no native DLP on Business plans
Microsoft 365Yes (all commercial plans)Organizations on Microsoft ecosystem; need advanced complianceCompliance features require E3+ ($39/user/mo)
Zoom for HealthcareYes (Business+ plans)Telehealth, video consultationsVideo-focused; not a full collaboration suite
Dropbox BusinessYes (Standard+ plans)File storage and sharingNo email, chat, or video; single-purpose

The Google vs. Microsoft decision for healthcare typically comes down to existing infrastructure and DLP needs. Microsoft 365 E3 ($39/user/mo) includes DLP, retention, and eDiscovery in one package. Google Workspace Business Plus ($22/user/mo) is less expensive but lacks DLP - you need Enterprise (custom pricing) for that. If your organization already lives in Google's ecosystem, the transition cost of switching to Microsoft for compliance features alone may not make sense. If you are starting fresh and DLP is a priority, evaluate both.

Frequently Asked Questions

Is personal Gmail HIPAA compliant?

No. Personal Gmail accounts (name@gmail.com) do not include a BAA and cannot be used with PHI. Only paid Google Workspace plans with a signed BAA are eligible for HIPAA use.

Can I use Google Gemini AI with patient data?

Yes, but only through your managed Google Workspace account. Gemini in Workspace and the Gemini app are covered under the BAA. Consumer Gemini (gemini.google.com through a personal account) and Gemini in Chrome are not covered. Ensure staff only use Gemini through their Workspace accounts.

Which Google Workspace plan is best for healthcare?

Business Plus ($22/user/mo) is the practical minimum because it includes Google Vault for retention and eDiscovery plus advanced endpoint management. Enterprise is needed if you require DLP, context-aware access policies, or client-side encryption. Business Starter and Standard are technically BAA-eligible but lack essential compliance tools.

Does Google Workspace encrypt email automatically?

Google uses TLS to encrypt email in transit, but only if the recipient's mail server also supports TLS. If it does not, the email may be sent unencrypted. Configure your Admin Console to require TLS for outbound email so that messages containing PHI are never sent in the clear.

Do I need separate BAAs for Gmail, Drive, and Meet?

No. Google's BAA covers all HIPAA-eligible Workspace services under one agreement. You accept it once in the Admin Console and it applies to Gmail, Drive, Meet, Chat, Calendar, and all other covered services.

Conclusion

Google Workspace can be a HIPAA-compliant platform for healthcare communication and collaboration, with the BAA available on every paid plan at no extra cost. The self-service BAA process in the Admin Console is simpler than most vendors. The real challenge is choosing the right plan tier and configuring it properly - the BAA alone does not make you compliant.

Business Plus should be the starting point for most healthcare organizations. Enterprise is the right choice if you need DLP, context-aware access, or client-side encryption. Regardless of plan, the operational work - disabling non-covered services, enforcing MFA, configuring sharing restrictions, setting up Vault retention, and training staff - is what separates organizations that are technically BAA-covered from those that are actually HIPAA-compliant in practice.

Need help assessing whether your Google Workspace deployment meets HIPAA requirements? Book a free 30-minute consultation with One Guy Consulting to review your configuration and identify gaps.

This content is for educational and informational purposes only and should not be construed as legal advice.

Sources


Related Reading: