The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes standards for protecting sensitive patient health information (PHI). This includes any individually identifiable health information, whether electronic (ePHI), written, or oral.
Google Workspace and Google's embedded AI product, Gemini, are HIPAA compliant with additional configuration and the signing of a Business Associate Agreement. It is important to note that it is not HIPAA compliant "out of the box" and the BAA and additional configuration are required.
Why a Healthcare Organization's Google Services Need to be HIPAA Compliant
Google Workspace needs to be HIPAA compliant because many organizations in the healthcare industry, such as hospitals, clinics, and insurance companies, use its services for communication, collaboration, and data storage. It's a shared responsibility, where Google provides a compliant platform, and the client is responsible for configuring and using the services in a HIPAA-compliant manner.
Here are some of the reasons why compliance is important to healthcare organizations, companies, and contractors adjacent to those businesses.
Covered Entities and Business Associates
HIPAA applies to "covered entities" (healthcare providers, health plans, and healthcare clearinghouses) and their "business associates." A business associate is any person or entity that performs functions or activities on behalf of a covered entity, involving the use or disclosure of PHI.
Google as a Business Associate: Legal Obligation and Risk Mitigation
When healthcare organizations use Google Workspace services (like Gmail, Drive, Calendar, Meet, etc.) to create, receive, maintain, or transmit PHI, Google becomes a business associate.
As a business associate, Google is legally obligated to comply with HIPAA's Privacy, Security, and Breach Notification Rules. If Google Workspace were not HIPAA compliant, healthcare organizations using it to handle PHI would be in violation of federal law, facing significant legal and financial penalties, as well as reputational damage.
Data Security and Privacy
HIPAA compliance ensures that Google has implemented the necessary administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, disclosure, alteration, or destruction. This includes measures like encryption, access controls, audit logs, and incident response procedures.
Client Requirements
Vendors to healthcare organizations often need to agree to be HIPAA compliant in their own business operations, particularly if their services involve anything that touches personal health data.
How to Configure Google Workspace to be HIPAA Compliant
Step 1: Business Associate Agreement (BAA)
To be HIPAA compliant, healthcare organizations must have a signed Business Associate Agreement (BAA) with Google. This is a legally binding contract that outlines Google's responsibilities for protecting PHI and specifies how they will handle and secure the data.
Google gives these steps to review and submit your BAA:
Sign in with a super administrator account to the Google Admin console. If you aren't using a super administrator account, you can't complete these steps.
- Go to Menu and then Account > Account settings > Legal and compliance.
- Go to the Security and Privacy Additional Terms section.
- Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
- Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity.
- To accept the HIPAA BAA, click OK .
Step 2: Configuration
Turn off Early Access Apps
While in your Admin console, go to Apps > Additional Google services > Settings for Early Access Apps >Core Data Access Permissions. Turn this setting off.
Be Aware of "Covered" Services
Only the following services can interact with Personal Health Information (PHI) in Google Workspace:
- AppSheet
- Apps Script
- Cloud Identity Management
- Gemini app
- Gemini in Workspace
- Gmail
- Google Calendar
- Google Chat
- Google Cloud Search
- Google Drive (including Google Docs, Google Forms, Google Sheets, Google Slides, and Google Vids)
- Google Groups
- Google Keep
- Google Meet
- Google Sites
- Google Tasks
- Google Vault (if applicable)
- Google Voice (managed users only)
Google Contacts cannot interact with PHI. To prevent contacts from being added to Google Contacts who may have PHI, you can make changes in your Directory to limit contacts to your own organization. In more extreme cases, you can choose to turn the Directory off entirely.
You can certainly use other Google apps and services, just not in a way that will ever interact with Personal Health Information. If, for example, you're using Veo 3 to create marketing videos, as long as you aren't introducing any personal health information to those videos, you're good.
Third-party Google Workspace add-ons are not covered by your BAA, and should probably be disabled anyway because they are not as secure as core Google services. Google Workspace already offers most of the functionality you need, and if it doesn't, check with your administrator or Google Partner to see if it is just in a spot you're not expecting it to be in. If you really need a separate third-party add-on, they are generally governed under their own BAAs which need to be signed separately.
Resources for Google Workspace HIPAA Compliance
Google has a comprehensive guide available for HIPAA compliance configuration for Google Workspace, updated in June of 2025. UpCurve Cloud can help you step through all of the configuration procedures; we've done this for hundreds of healthcare organizations and businesses. It's why we're one of the Google Partners of choice for healthcare. We manage the change, make sure all the checklist items are done, and follow up with any training you may need to ensure HIPAA compliance. Contact us today to find out more.
Contact Us to Learn More about Transforming Your Business