Is Google Workspace HIPAA Compliant? The Complete Guide

Adelia Risk helps healthcare organizations make Google Workspace HIPAA-compliant. We audit Google Workspace tenants for medical practices, dental offices, behavioral health groups, and other covered entities across the U.S. The question we hear most often: “We signed Google’s BAA. Are we HIPAA compliant now?”

The short answer is no. Signing the Business Associate Agreement is step one. What matters next is how the tenant is configured and how your team actually uses it. Out of the box, Google Workspace is built for broad business use, not healthcare-specific risk. Default settings leave gaps that can turn into reportable breaches.

This guide explains how to make Google Workspace HIPAA compliant, product by product: Gmail, Google Drive, Google Meet, Google Chat, Google Keep, Google Voice, Gemini, and Google Cloud Platform. For each one, we’ll explain what’s covered under the BAA, what you need to configure, and the mistakes we see most often.

If you want the technical settings, Adelia Risk published a 96-point Google Workspace security checklist that covers every Admin Console setting worth reviewing. We also created a HIPAA-specific version of that checklist with regulatory tags for each item.

The Short Answer Is Yes, If You Configure It Right

Google Workspace can be HIPAA-compliant. Google will sign a Business Associate Agreement with paid Workspace customers. The BAA covers specific Google services and commits Google to implementing physical, technical, and administrative safeguards to protect PHI.

But Google says it plainly in their own documentation:

“Customers are responsible for evaluating their own HIPAA compliance and ensuring that they use Google services in compliance with HIPAA.”

“PHI is allowed only in a subset of Google services.”

“These Google covered services must be configured by IT administrators to help ensure that PHI is properly protected.”

Signing the BAA without configuring the tenant gives you the legal framework without the controls that make it work in practice. The BAA is a legal agreement. Configuration is the actual security.

Google’s Business Associate Agreement

What the BAA Covers

Google’s BAA covers a specific list of services. As of March 2026, Google’s HIPAA Included Functionality list includes:

• Gmail (paid Workspace accounts only, not free @gmail.com addresses)
• Google Drive (including Docs, Sheets, Slides, and Forms)
• Google Calendar
• Google Chat
• Google Meet
• Google Keep
• Google Vault
• Google Sites
• Cloud Search
• Google Voice (if provisioned for your organization)
• Gemini for Google Workspace
• Google Groups
• Google Tasks
• Google Vids
• Cloud Identity Management

For the latest list, see Google’s HIPAA compliance page. Google also publishes a HIPAA Implementation Guide with service-specific configuration advice.

What the BAA Does NOT Cover

Dozens of Google services fall outside the BAA. YouTube, Google Maps, Google Ads, Blogger, Google My Business, and most “Additional Google Services” in the Admin Console are not covered. If patient data ends up in an uncovered service, the BAA doesn’t apply.

Third-party Marketplace add-ons and browser extensions are not covered by Google’s BAA, even when installed through your Workspace account. If you use a third-party tool that touches PHI, that vendor needs its own BAA with your organization.

Google Contacts is not covered. This one catches people. Healthcare staff naturally store patient phone numbers, addresses, and notes in Google Contacts because it’s right there in the interface. But Contacts is not on the BAA-covered services list. Patient contact information tied to health data is PHI, and it shouldn’t live in Contacts. Use your EHR or a BAA-covered tool instead.

Other common surprises: a staff member uploads a patient education video to YouTube from their work account, or a front desk employee uses Google My Business messaging to respond to a patient question. Those interactions involve PHI in a service that has no BAA protection.

How to Sign the BAA

The process takes about two minutes:

1. Sign in to the Google Admin Console (admin.google.com)with a super administrator account
2. Go to Account > Account Settings > Legal and Compliance
3. Review and accept the BAA

[VERIFY: Confirm the current Admin Console path. Google sometimes reorganizes the settings.]

Which Workspace Edition Do You Need?

You need a paid Google Workspace edition that can operate under Google’s BAA. Education Standard, Education Plus, and Frontline editions can qualify as well, but the feature set still matters because retention and security controls vary by edition.

Business Plus is the minimum viable edition. It includes Vault (required for HIPAA retention), basic mobile management, and the ability to sign the BAA. Many small practices run a HIPAA-compliant Google Workspace environment on Business Plus.

Enterprise Standard and Enterprise Plus add features that make compliance significantly easier to manage: advanced Data Loss Prevention (DLP), Context-Aware Access, the Security Center dashboard, and the Security Investigation Tool. If your organization has more than a handful of users or handles high volumes of PHI, Enterprise features reduce the manual oversight required.

Business Starter and Business Standard can sign the BAA, but they lack Vault and advanced security controls. You’d need to supplement with third-party tools for retention and DLP, which adds cost and complexity. For most healthcare organizations, Business Plus is the practical floor.

The BAA Is Not a Compliance Certificate

We run into this misunderstanding constantly. A practice signs the BAA and assumes the hard part is over. Google’s BAA means Google is taking on defined obligations for the covered services on its side. It doesn’t mean your organization is using the platform in a HIPAA-compliant way.

Google handles its side. Your team still owns access controls, encryption, sharing permissions, audit logging, retention, and device management.

Gmail HIPAA Compliance

Gmail is one of the most important products to configure in a HIPAA-aligned Google Workspace environment. It’s also where we find the most compliance gaps.

Is Gmail HIPAA Compliant?

Gmail through a paid Google Workspace account can be HIPAA compliant, but only with the BAA signed and the tenant configured correctly. Free Gmail accounts (@gmail.com) are not a fit for HIPAA use because Google does not offer a BAA for consumer Gmail, nor does it have the security controls that HIPAA expects.

Gmail Encryption and HIPAA

Gmail uses TLS encryption by default for email in transit. TLS encrypts the connection between mail servers, which covers most email sent between Gmail users and most major email providers.

There’s a catch, though \- TLS only works if the receiving server also supports it. If you send an email to a small provider that doesn’t support TLS, the email falls back to unencrypted transmission. For email within your own organization (employee to employee), TLS is always on. For email to external parties, you can’t guarantee it.

HIPAA requires transmission security for ePHI (45 CFR 164.312(e)(1)). For healthcare organizations that email PHI to patients, insurers, or other providers, TLS alone may not be enough. Options include:

• MTA-STS: Helps enforce TLS for mail sent to your domain and reduces downgrade risk. You configure it through DNS and a published policy.
• S/MIME or client-side encryption: Available in higher-tier editions and used when you need stronger message-level protection, instead of just transport encryption.
• Third-party secure email add-ons: Products like Paubox or Virtru add end-to-end encryption on top of Gmail. Some integrate directly into the Gmail interface.
• Patient consent: HHS has clarified that covered entities may communicate with patients via unencrypted email if the patient has been informed of the risks and still prefers email. Get written consent, and keep documentation proving the patient understood the risks.

Common Gmail HIPAA Mistakes

Not enforcing two-step verification. We see this constantly. MFA might be “available” for the organization, but not enforced. Users skip enrollment indefinitely. One compromised password and an attacker reads every email in the account, including emails containing PHI. Set a firm enrollment deadline and make MFA mandatory.

Sharing email account credentials. Practices sometimes share login credentials for accounts like info@yourpractice.com or billing@yourpractice.com. HIPAA’s Security Rule requires unique user identification (45 CFR 164.312(a)(2)(i)). Shared credentials mean you can’t track who accessed what. Use Google Groups to route mail to multiple inboxes instead.

Leaving auto-forwarding enabled. If a mailbox is compromised and a forwarding rule is added to an external address, email can continue leaving the environment without much visibility. Disable automatic forwarding at the organization level.

Not configuring DLP. Data Loss Prevention rules scan outbound email for sensitive patterns. Without DLP, you have fewer guardrails to catch an employee who accidentally emails a spreadsheet of patient records to the wrong address.

Ignoring Additional Google Services. Google’s BAA applies to specific services, not everything available through a work account. Services such as YouTube and Blogger sit outside that scope. If staff can access them with their work accounts, PHI can end up in the wrong place. Turn off services your team doesn’t need.

For detailed Gmail security settings, including Admin Console paths and step-by-step guidance, see Adelia Risk’s Gmail Security Guide.

Google Drive and Docs HIPAA Compliance

Many healthcare organizations store patient records, intake forms, billing documents, and scanned records in Google Drive. Drive is often the highest-risk product in a Google Workspace HIPAA compliance review because the default sharing model is broader than most healthcare organizations should accept.

We cover Google Drive HIPAA compliance in depth in a dedicated guide. Here’s the summary:

The biggest risk is external sharing. Google Drive’s default settings allow users to share files with “anyone with the link,” which makes access much broader than most healthcare teams intend. If that file contains PHI, you have a potential breach. Restrict external sharing to allowlisted domains or disable it entirely for organizational units that handle patient data.

Disable “Publish to the web.” This creates a genuinely public URL that search engines can index. Published files auto-update. A spreadsheet with patient names published accidentally stays indexed in Google Search until someone notices.

Configure DLP for Drive. Scan files for PHI patterns: patient names combined with medical record numbers, diagnosis codes, and insurance IDs. DLP is your automated check against accidental sharing of files containing sensitive data.

Watch local syncing. Google Drive for Desktop syncs files to local computers. Once a file is synced locally, it falls outside of Google’s access controls and DLP. If your staff syncs Drive folders that contain PHI, those files exist on the local hard drive. If the laptop is lost and unencrypted, that’s a reportable breach.

For detailed Drive security settings and Admin Console paths, see Adelia Risk’s Drive Security Guide.

Google Meet HIPAA Compliance and Telehealth

Is Google Meet HIPAA Compliant?

Google Meet is covered under the BAA and can be used for HIPAA-compliant telehealth sessions. Meet encrypts data in transit between participants and Google’s servers, and Google encrypts data at rest on its infrastructure.

For telehealth, Google Meet is a strong option within a HIPAA-compliant Google Workspace environment. It works in a browser with no downloads, which makes it accessible for patients who aren’t tech-savvy. For practices that already use Google Workspace, Meet is already part of the subscription.

Telehealth Considerations for Google Meet

Waiting rooms matter. Configure Meet to require host approval before external participants can join. Without this, anyone with a meeting link can walk into a telehealth session. A leaked or guessed link becomes a privacy issue.

Control recording. Meet recordings capture audio, video, screen shares, and chat. If a telehealth session recording contains PHI, that recording needs the same protections as any other PHI. Restrict recording to the host. Make sure recordings are stored in a Drive location with appropriate access controls.

Turn off the Media API unless you have a clear reason to use it. The Meet Media API lets third-party apps capture meeting audio and video. If you rely on a recording or workflow tool here, make sure it has its own BAA and fits your compliance model.

Disable PSTN dial-in if you don’t need it. Phone dial-in adds a second entry point to meetings. Someone with the phone number and PIN may be able to join outside your normal sign-in flow and waiting-room controls.

If your internal policies still reference Google Hangouts, update them to reflect the current Meet and Chat products.

For detailed Meet security settings, see Adelia Risk’s Chat and Meet Security Guide.

Google Chat HIPAA Compliance

Google Chat is covered under the BAA. If your team uses Chat for internal communication about patients, scheduling, or clinical coordination, these settings apply.

Chat retention needs a clear policy. HIPAA’s six-year documentation rule applies to required HIPAA records, not automatically to every chat message (45 CFR 164.530(j)). If your team uses Chat for patient-related communication, lock history to ON and decide how those messages fit into your retention and recordkeeping process.

In our experience, practices that accept Medicare should plan for at least seven years, and those in states with longer requirements may need ten. Consult your attorney for the specific retention periods that apply to your organization.

Configure DLP for Chat. Chat feels informal, and that’s exactly why PHI ends up there. People move fast, share patient names, appointment details, and clinical notes, and do not always think about where that data is going. If your team uses Chat for patient-related communication, configure DLP in Chat itself. Email DLP does not cover it.

Restrict external chat. Control whether your staff can chat with people outside your organization. For most healthcare organizations, external Chat should be restricted to specific trusted domains or turned off.

For detailed Chat security settings, see Adelia Risk’s Chat and Meet Security Guide.

Google Keep, Voice, and Other Workspace Tools

Is Google Keep HIPAA Compliant?

Google Keep is covered under the BAA when used through a paid Google Workspace account. Healthcare staff sometimes use Keep for quick notes: patient callbacks, medication reminders, and follow-up tasks. If those notes contain PHI, Keep’s inclusion in the BAA matters.

Keep does not give you the same level of administrative control as Gmail or Drive. There are no DLP rules for Keep, limited audit visibility, and fewer guardrails around how information is shared. We have seen practices use it for callbacks and follow-ups, but it is a poor place for anything detailed, clinical, or long-lived. This kind of information belongs in your EHR or in Google Drive, where stronger sharing controls and the DLP approach we recommend at Adelia Risk are easier to apply.

For healthcare organizations searching for a HIPAA-compliant note-taking app, Keep is a viable option if your Workspace is properly configured and the BAA is signed.

Is Google Voice HIPAA Compliant?

Google Voice is covered under the BAA when provisioned through Google Workspace (not the free consumer version of Google Voice). Workspace Google Voice provides business phone service, voicemail, and SMS through Google’s infrastructure.

For healthcare organizations using Google Voice in a HIPAA-aligned environment, the Workspace version is the one that belongs in scope. It should be tied to your organization’s account and managed the same way as the rest of your Workspace environment.

Voicemails in Google Voice are stored in the cloud and can contain PHI (patient messages about appointments, prescriptions, symptoms). Make sure your data retention and access policies cover Voice data.

Google Calendar

Google Calendar is covered under the BAA. Calendar events can contain PHI in event titles, descriptions, and attendee lists. This makes calendar hygiene more important than most teams expect. Review how staff name events, what goes into descriptions, and whether offline access is really needed on managed devices.

Google Forms

Google Forms is covered as part of Google Drive. Healthcare organizations sometimes use Forms for patient intake, satisfaction surveys, or screening questionnaires. Form responses are stored in Drive, so they should follow the same sharing and DLP rules as the rest of your Drive data.

Google Gemini and HIPAA

Gemini in Workspace can sit inside Google’s HIPAA Included Functionality when it is accessed through your organization’s Workspace account. In practice, that means the Gemini app and Gemini features inside Workspace services can be used in scope, as long as your team stays inside the covered setup.

There’s an important exception: Gemini in Chrome is not HIPAA compliant. The Gemini sidebar that appears in the Chrome browser operates outside the Workspace BAA. Do not upload or paste PHI into Gemini through Chrome. If your staff uses Chrome, consider disabling the Gemini in Chrome feature through the Admin Console to prevent accidental PHI exposure.

The same applies to the Gemini mobile app when used with a personal Google account. Only the Workspace-provisioned version of Gemini is covered. Keep Gemini use inside the organization’s Workspace account, and make that expectation explicit in training and policy.

Suppose your organization uses Gemini, document which features are enabled and how staff are trained to use them. If you have enabled it, add it to your HIPAA training materials so staff know which Gemini experiences sit inside the covered Workspace environment and which do not. The key point is simple: staff should know the difference between Gemini inside the covered Workspace environment and Gemini experiences that sit outside it.

Google Cloud Platform (GCP) HIPAA Compliance

Google Cloud Platform has its own BAA, separate from Workspace. Most healthcare practices using Google Workspace for email and productivity don’t need GCP. It’s cloud infrastructure for hosting applications, patient portals, and data analytics, not for running email and documents. If your organization does use GCP, the configuration requirements are different from Workspace (network security, IAM policies, encryption key management). See Google’s GCP HIPAA implementation guide for details.

Your Google Workspace HIPAA Compliance Checklist

Adelia Risk created a HIPAA-customized version of our 96-point Google Workspace security checklist. Every setting is tagged as HIPAA Required, HIPAA Recommended, or General Security, with regulatory references that connect each setting to the HIPAA Security Rule.

The checklist covers:

• 30 HIPAA Required settings that map directly to Security Rule requirements
• 37 HIPAA Recommended settings that support compliance without being explicitly mandated
• 35 General Security settings that strengthen your overall posture
• 6 HIPAA Prerequisites, including BAA signing, edition verification, and PHI service mapping

Start with the prerequisites, then work through the HIPAA Required items. The HIPAA Recommended settings fill in the gaps.

For a detailed walkthrough of every setting with Admin Console paths, step-by-step instructions, and common mistakes, see the full Google Workspace Security Benchmark.

How Adelia Risk Helps

A checklist tells you what to check. A professional audit tells you what you missed.

Adelia Risk’s Google Workspace HIPAA compliance audit reviews all 96 settings, verifies your BAA is active, checks your DLP rules against real PHI patterns, and validates that your retention policies meet the six-year requirement. We also review the organizational pieces that a checklist can’t assess: your risk analysis documentation, workforce training records, and incident response procedures.

If you’re a healthcare organization running Google Workspace and want to confirm your configuration meets HIPAA requirements, Adelia Risk can help you sort that out.

If you have questions about any of the settings in this guide, reach out. We’re happy to point you in the right direction, even if you handle the configuration yourself.