Is Google Workspace HIPAA Compliant? Full Breakdown (2026)

Google Workspace can be HIPAA compliant — but only on paid plans with a signed Business Associate Agreement (BAA) and specific admin configuration. The default settings are not compliant out of the box. Free Google accounts and personal Gmail never qualify.

That distinction matters more than most practices realize. Signing up for Google Workspace Business Starter and assuming you are covered is one of the most common compliance mistakes we see in independent healthcare. The BAA is necessary, but it is not sufficient. What you configure after signing it determines whether your practice is actually protected.

Here is exactly what is covered, what is not, and how to set it up correctly.

Which Google Workspace Plans Support HIPAA Compliance?

Google will sign a BAA with organizations on any of its paid Workspace plans:

• Business Starter ($7/user/month)
• Business Standard ($14/user/month)
• Business Plus ($22/user/month)
• Enterprise (custom pricing)

Free Google accounts — including personal Gmail, free Google Drive, and consumer Google apps — are not eligible for a BAA. There is no configuration, workaround, or agreement that makes a free Google account HIPAA compliant. If any staff member at your practice is using a personal Gmail address to send or receive patient information, that is a HIPAA violation regardless of what your Workspace account looks like.

Which Google Services Are Covered by the BAA?

Google's BAA covers a specific list of services. Only these services may be used with protected health information (PHI):

• Gmail (Workspace version only)
• Google Drive (including file storage and sharing)
• Google Docs, Sheets, and Slides
• Google Calendar
• Google Meet
• Google Chat
• Google Vault
• Google Sites
• Google Keep

The following Google services are not covered by the BAA and must never be used with PHI:

• Google Maps (including location history and timeline)
• YouTube
• Blogger
• Google Ads
• Google Groups (consumer version)
• Any other consumer Google service

This is a critical point that practices overlook: only services explicitly listed in the BAA are covered. If Google launches a new product or feature, it is not automatically included. You need to check the BAA scope any time you adopt a new Google tool in your workflow.

How to Sign the Google Workspace BAA

The BAA must be accepted by a super admin in your Google Workspace Admin Console. Here is the process:

1. Sign in to admin.google.com with your super admin account
2. Navigate to Account → Legal and compliance
3. Locate the Google Workspace/Cloud Identity HIPAA Business Associate Amendment
4. Review the amendment and accept it

Once signed, the BAA applies organization-wide. Every user in your Workspace domain is covered — but only for the services listed in the agreement.

If you have not completed this step, you do not have a BAA with Google. Using Workspace for PHI without a signed BAA is a HIPAA violation, regardless of what plan you are on.

Critical Admin Settings You Must Configure

Signing the BAA is step one. Step two is configuring your Workspace environment so it actually enforces the protections HIPAA requires. Google does not do this for you. These settings must be configured manually by your admin:

Enforce 2-Step Verification (2SV)

Enable and enforce 2-step verification for every user in your organization. Do not make it optional. Under the 2025 HIPAA Security Rule amendments, multi-factor authentication is moving from recommended to required. Set this up now.

Admin Console → Security → 2-Step Verification → Enforcement → On

Configure Data Loss Prevention (DLP) Rules

Set up DLP rules in Gmail and Drive to detect PHI patterns — Social Security numbers, medical record numbers, date-of-birth formats, and insurance ID patterns. DLP will not catch everything, but it adds a detection layer for accidental external sharing.

Restrict Third-Party App Access

This is one of the most overlooked settings. By default, users can grant third-party apps access to their Workspace data — including Drive files and email. Every third-party app that touches PHI needs its own BAA with your practice. If it does not have one, block it.

Admin Console → Security → API Controls → Manage Third-Party App Access

Set Mobile Device Management (MDM) Policies

If staff access Workspace from personal phones or tablets, you need MDM policies enforcing screen locks, encryption, and remote wipe capability. An unlocked phone with access to a Gmail account containing PHI is a breach waiting to happen.

Enforce TLS for Email

Configure email routing to require TLS encryption for all outbound messages. If the recipient's mail server does not support TLS, the message should be held or bounced — not sent in plaintext.

Admin Console → Apps → Google Workspace → Gmail → Compliance → Secure Transport (TLS) Compliance

Set Retention Policies in Google Vault

HIPAA requires that you retain records for six years. Configure Vault retention rules to prevent premature deletion of emails, Drive files, and Chat messages. Set legal hold policies for any active investigations or audits.

Restrict External Sharing in Drive

Set Drive sharing defaults to internal only. Users should not be able to share files containing PHI with anyone outside your organization without explicit admin approval. The default sharing settings in Google Drive are far too permissive for healthcare.

Disable Less Secure App Access

Ensure that access for less secure apps is turned off across your organization. Legacy protocols that do not support modern authentication are an entry point for credential-based attacks.

Enable Audit Logging

Turn on audit logging for Gmail, Drive, Admin Console, and login activity. These logs are essential for incident investigation and for demonstrating compliance during an OCR audit. Review them regularly — not just when something goes wrong.

What Google Workspace Does NOT Do

This is where most practices make a fundamental mistake. They sign the BAA, configure the settings above, and assume they are HIPAA compliant. They are not. Google Workspace is a productivity platform. It is not a compliance program.

Google Workspace does not:

• Perform your risk assessment. HIPAA requires a documented security risk analysis covering your entire practice — not just your email provider. Google does not do this for you.
• Train your staff. Your workforce needs documented HIPAA training, including how to handle PHI in Google tools specifically. Google does not provide this.
• Track BAAs for your other vendors. Your practice likely uses 10 to 20 vendors that touch PHI — EHR, billing, scheduling, imaging, fax, shredding. Google's BAA covers Google. The rest are your responsibility.
• Monitor compliance across your full tech stack. Google cannot tell you whether your EHR vendor's security posture changed, whether a staff member is using an unauthorized app, or whether your physical safeguards are adequate.
• Provide incident response procedures. If a breach occurs — even one involving Google Workspace — your practice needs its own incident response plan, breach notification procedures, and documentation trail.
• Make the free tier compliant. There is no BAA available for free Google accounts. Period.

Common Mistakes Practices Make With Google Workspace

Even practices that sign the BAA and configure settings frequently make these errors:

Signing the BAA but leaving default sharing settings wide open. The BAA does not override your admin configuration. If Drive files are shareable with anyone who has the link, PHI is one click away from exposure.

Not restricting third-party app access. Every Chrome extension, every connected app, every OAuth grant is a potential data flow that your BAA does not cover. Audit and restrict these aggressively.

Using personal Google accounts alongside Workspace accounts. Staff who toggle between their personal Gmail and their Workspace account on the same browser can easily send PHI from the wrong account. This is a violation with no technical safeguard unless you enforce account separation.

Storing PHI in uncovered services. Google Maps timeline data, YouTube comments, Blogger drafts — none of these are covered by the BAA. If a staff member pins a patient's home address in Google Maps or stores notes in an uncovered service, that is unprotected PHI.

Ignoring Vault retention requirements. Without Vault retention policies, a user can permanently delete emails or files that HIPAA requires you to retain for six years. Configure retention before it becomes a problem during an audit.

Where Google Workspace Fits in Your Compliance Program

Google Workspace is your productivity layer. It handles email, file storage, video conferencing, and collaboration. With a signed BAA and proper configuration, it can handle those tasks in a HIPAA-compliant manner.

But it is not your compliance program. Your compliance program includes:

• A documented, current security risk assessment
• Written policies and procedures
• Workforce training with documented completion
• Vendor management and BAA tracking for every business associate
• Incident response and breach notification procedures
• Physical safeguard documentation
• Ongoing monitoring and review

Patient Protect covers the full compliance posture that Google Workspace cannot. Our platform manages your risk assessment, tracks every vendor BAA, monitors your data flows, trains your staff, and gives you a defensible compliance record — starting at $39/month with no long-term contract. Google handles your email. Patient Protect handles your compliance.

Frequently Asked Questions

Is Google Workspace free HIPAA compliant?

No. Free Google accounts — including personal Gmail, consumer Google Drive, and free-tier Google apps — are not eligible for a BAA. Without a BAA, using any Google service with PHI is a HIPAA violation. You must be on a paid Workspace plan.

Does Google sign a BAA?

Yes. Google will sign a BAA (technically a Business Associate Amendment) with organizations on any paid Google Workspace plan. The BAA must be accepted by a super admin through the Admin Console under Account → Legal and compliance.

Which Google Workspace plan do I need for HIPAA?

Any paid plan qualifies — Business Starter, Business Standard, Business Plus, or Enterprise. The BAA is available on all four. The difference between plans is feature depth (storage, meeting capacity, Vault availability), not HIPAA eligibility. However, Google Vault is only available on Business Plus and Enterprise, so practices that need retention and legal hold capabilities should choose one of those tiers.

Is Google Drive HIPAA compliant?

Google Drive is covered under the Google Workspace BAA, so it can be used to store and share PHI — but only if the BAA is signed and sharing settings are properly restricted. Default Drive sharing settings are too permissive for healthcare. You must configure external sharing restrictions and DLP rules before storing any patient data in Drive.

Can I use Google Meet for telehealth?

Google Meet is covered under the Workspace BAA and can be used for telehealth appointments, provided your BAA is signed and your Workspace environment is properly configured. Meet encrypts data in transit, and recordings stored in Drive are covered under the same BAA. Ensure that meeting links are not publicly accessible and that recordings are stored only in HIPAA-compliant locations within your Workspace environment.