Is Google Workspace HIPAA Compliant? What Healthcare Practices Need to Know
Google Workspace can support HIPAA compliance, but not out of the box. A Business Associate Agreement has to be in place first, and until it is, putting Protected Health Information into Google Workspace is itself the violation.
Google Workspace can support HIPAA compliance, but only after an administrator reviews and accepts Google's HIPAA Business Associate Amendment in the Admin console. Until that BAA is accepted, PHI must not be placed in Workspace.
Plan / requirement: Available to Google Workspace and Cloud Identity customers; the admin must accept the BAA electronically.
Sources: HIPAA Compliance with Google Workspace and Cloud Identity Google Workspace HIPAA Business Associate Amendment. Last verified 2026-06-14.
What HIPAA actually requires here
HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Google Workspace, that mechanism works like this:
An administrator signs in to the Admin console and electronically accepts the HIPAA Business Associate Amendment, which is as legally binding as a paper agreement.
The conditions that decide whether you are actually covered:
- The BAA covers a defined set of 'Included Functionality' core services only.
- Third-party applications and Marketplace add-ons are explicitly excluded from BAA coverage.
- Customers who have not accepted the BAA must not use PHI in Workspace or Cloud Identity.
Where the vendor stops and you begin
The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:
| Where responsibility sits |
|---|
| Google acts as Business Associate for covered core services once the BAA is accepted. |
| You must restrict PHI to covered services and keep it out of non-covered and third-party apps. |
| You configure sharing controls, 2-Step Verification, and data-region settings. |
Compliance review
Not sure your Google Workspace setup holds up to an audit?
Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.
Configuring Google Workspace the right way
A defensible Google Workspace deployment in a healthcare practice comes down to a short, ordered checklist:
- Have a Workspace administrator accept the HIPAA BAA in the Admin console before any PHI is entered.
- Disable or restrict non-covered services and Marketplace apps for users who handle PHI.
- Enforce 2-Step Verification for all accounts.
- Configure Drive and Gmail sharing policies to prevent external PHI exposure.
- Document which core services are in scope and train staff to stay inside them.
Mistakes that quietly void compliance
- Treating Workspace as compliant on signup. The BAA is opt-in and must be actively accepted.
- Storing PHI in a third-party add-on that the BAA does not cover.
- Using a free or consumer Gmail account, which has no BAA path.
Where Cobrix fits
Cobrix is a California MSP/MSSP that configures and monitors tools like Google Workspace for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.
Free resource
Google Workspace HIPAA setup checklist
The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.
Frequently asked questions
Is Google Workspace HIPAA compliant?
Google Workspace can support HIPAA compliance, but only after an administrator reviews and accepts Google's HIPAA Business Associate Amendment in the Admin console. Until that BAA is accepted, PHI must not be placed in Workspace.
How do I get a BAA with Google Workspace?
An administrator signs in to the Admin console and electronically accepts the HIPAA Business Associate Amendment, which is as legally binding as a paper agreement.
What plan do I need for Google Workspace to be HIPAA compliant?
Available to Google Workspace and Cloud Identity customers; the admin must accept the BAA electronically.
Does a BAA alone make Google Workspace compliant?
No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.