Productivity BAA Guide

Is Google Workspace HIPAA compliant?

G Suite, now known as Google Workspace, is a collection of cloud computing, productivity, and collaboration tools developed by Google. It includes popular services such as Gmail, Google Drive, Google Docs, Google Meet, Google Chat, and Google Calendar, among others. These tools are designed to enhance collaboration, productivity, and efficiency in a range of work environments.

Google Workspace in healthcare

Google Workspace is used across healthcare organizations for productivity, collaboration, and communication. In a healthcare setting, it can serve as a comprehensive solution for both telehealth and in-person care workflows:

  • Google Meet for virtual consultations and telehealth video visits
  • Google Calendar for appointment scheduling and reminders
  • Google Docs for documenting clinical notes, treatment plans, and shared protocols
  • Google Drive for storing and sharing patient records and clinical files
  • Google Sheets for tracking patient populations, quality metrics, and operational data
  • Gmail for staff and patient communication (with appropriate controls)
  • Google Chat for secure internal team messaging

Google Workspace and HIPAA compliance

Google Workspace is HIPAA compliant when used under a signed Business Associate Agreement (BAA) with Google. Google will sign a Workspace BAA for eligible plan tiers (Business Starter, Business Standard, Business Plus, Enterprise, and Google Workspace for Education plans).

The Workspace BAA covers a defined list of core services, including Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Meet, Google Calendar, and Google Chat. Services outside the covered list (YouTube, Google Photos, etc.) are not covered by the BAA and cannot be used for PHI.

More information can be found on Google's HIPAA guide.

What Google is responsible for vs. what you are responsible for

Google's security program covers the underlying infrastructure — data centers, encryption, network security, and service reliability. Under the shared responsibility model, your organization is responsible for:

  • Configuring user access and permissions appropriately
  • Enabling and enforcing two-step verification for all accounts
  • Setting Google Drive sharing settings to "Restricted" to prevent PHI from being shared publicly
  • Training staff on appropriate use of Google Workspace with PHI
  • Managing device access and endpoint security

Which Google Workspace services need attention in healthcare

ServiceBAA coveredHIPAA notes
GmailYesEncryption in transit; configure DLP rules for outbound PHI
Google DriveYesSet sharing defaults to restricted; see Is Google Drive HIPAA compliant?
Google DocsYesSharing controls critical; see Is Google Docs HIPAA compliant?
Google SheetsYesSame sharing controls apply; see Is Google Sheets HIPAA compliant?
Google MeetYesEnable end-to-end encryption for sensitive calls
Google ChatYesConfigure retention policies; covered under Workspace BAA
Google Voice (Workspace)YesRequires Workspace edition; see Is Google Voice HIPAA compliant?

Frequently asked questions

Is Google Workspace HIPAA compliant? Yes. Google Workspace is HIPAA compliant for covered services when a Business Associate Agreement (BAA) is signed with Google. The BAA must be accepted in the Google Workspace Admin console before using any covered service with PHI.

Does Google sign a HIPAA BAA for Google Workspace? Yes. Google offers a HIPAA Business Associate Agreement for eligible Google Workspace plans. The BAA is accepted through the Workspace Admin console under Security > HIPAA Setup.

Which Google Workspace plan is required for HIPAA compliance? HIPAA compliance is available across all paid Google Workspace plans (Business Starter, Business Standard, Business Plus, Enterprise editions). The free Workspace tier and personal Google accounts are not eligible for the BAA.

Is G Suite the same as Google Workspace? Yes. Google rebranded G Suite to Google Workspace in October 2020. The product is the same suite of services; only the name changed. References to G Suite in older HIPAA documentation or policies refer to the same Google Workspace product.

Staying HIPAA Compliant

Take a look at our ultimate guide to HIPAA compliant software and services for help selecting compliant service providers. Though careful vendor evaluation and selection is only one piece of the puzzle for maintaining HIPAA compliance. At TeachMeHIPAA, we offer an affordable HIPAA training solution to ensure your staff are knowledgeable in how to comply, and to help you meet your legally mandated HIPAA training requirement with ease. Learn more about our tips and tricks for maintaining compliance with our HIPAA compliance blog.