Is Google Workspace HIPAA compliant? The “easy” answer is yes and no. You can use Google Workspace for collaboration and productivity in your healthcare or medical business and stay HIPAA compliant, but you’ll need to follow a few critical steps.
Just like Zoom and Microsoft Teams, Google Workspace supports HIPAA compliance, but it’s not HIPAA compliant as standard. You need to ensure you’re using the right version of Google Workspace (the free plan won’t cut it), and implementing the right security tools.
Here, I’ll walk you through everything you need to know about HIPAA compliance with Google Workspace and how to avoid fines.
What Makes Software HIPAA Compliant?
As I noted in previous articles about Microsoft Teams and Zoom HIPAA Compliance, very few pieces of software are HIPAA compliant “by design”. There are plenty, like Google Workspace that enable HIPAA compliance, with access to robust security tools, access controls, and encryption.
To be HIPAA compliant, software solutions need to offer two things: access to a business associate agreement, and safeguards to protect “Personal Health Information”, or PHI.
HIPAA safeguards require healthcare organizations to implement various “safeguards” for all of their data, including:
- Administrative safeguards: Policies and procedures that govern the proper use and disclosure of PHI to adhere to the HIPAA privacy rule. The privacy rule sets limits on how companies can collect data and gives patients the right to access their data.
- Physical safeguards: Physical safeguards are designed to protect an organization’s physical location, such as locks and alarm systems. They can also include the use of security keys, to help safeguard the integrity of PHI, according to the HIPAA security rule.
- Technical safeguards: Measures implemented to protect electronic PHI, according to the HIPAA rule sets. This might include firewalls and encryption options, and auditing tools that allow companies to comply with investigations.
Is Google Workspace HIPAA Compliant?
Officially, Google says that Workspace is compatible with HIPAA compliance standards. Of course, there are some limitations here. First, Google Workspace offers security and privacy tools that can help businesses achieve HIPAA compliance.
For example, Google allows companies to implement secure access controls like multi-factor authentication (recommended by HIPAA standards). It also allows companies to implement policies to control how data is stored and managed and enables entity authentication.
Additionally, Google Workspace does leverage end-to-end encryption, but you will need to set up your own encryption standards to ensure you’re adhering to HIPAA rules.
Google is also willing to sign a Business Associate Agreement (BAA) with healthcare organizations, which is crucial to HIPAA compliance (more on that in a moment).
However, you’ll only achieve HIPAA compliance with Google Workspace if you:
- Configure your Google Workspace to support HIPAA compliance
- Sign a BAA with Google (reviewed by administrators)
- Use a paid version of Google Workspace
Which Google Workspace Plans Support HIPAA Compliance?
As mentioned above, only the paid versions of Google Workspace can be HIPAA compliant. The main reason for this is that only premium customers can access a BAA from Google. The good news is that virtually all Workspace plans, aside from the free version, are compatible with HIPAA compliance. The bad news is that Google’s BAA doesn’t cover all Workspace products.
You can check the list of “HIPAA ready” applications here, but for now, all of the following features are covered by Google’s BAA:
- Gmail:
- Google Meet:
- Gemini AI for Workspace (not including the web version or mobile version of Gemini)
- Google Calendar
- Google Drive
- Sheets, Docs, Slides, and Forms
- App Script
- Google Keep
- Google Sites
- Jamboard
- Google Chat
- Google Voice (only for managed users)
- Cloud Identity Management
- Google Cloud Search
- Vault
- Google Groups
- Google Tasks
- AppSheet
Crucially, all of these apps need to be configured and used according to HIPAA standards too. You’ll need to ensure you’re using the correct access controls, features, and encryptions. For instance, Gmail won’t offer end-to-end encryption as standard on free plans, and end-to-end encryption with TLS can be turned off by administrators.
Notably, third-party apps and tools integrated with Google Workspace aren’t covered by the BAA either, so you’ll need to keep that in mind when creating your ecosystem.
How to Make Google Workspace HIPAA Compliant
Simply put, the answer to: “Is Google Workspace HIPAA compliant?” is: “It can be”, but you need to follow the right processes. First, you’ll need a paid version of Google Workspace, you’ll also need to take the following steps:
Step 1: Sign a BAA With Google
The only way to ensure Google Workspace is HIPAA compliant, regardless of what security methods you implement, is to sign a Business Associate Agreement with Google. Fortunately, this is pretty straightforward, but I do recommend carefully reviewing the Terms of Service Agreement offered by Google, and the HIPAA implementation guide that Google offers here, first.
The terms of service do note that your company is still responsible for end-user compliance, and that you’ll need to notify Google if you encounter any data breaches. Failure to comply with any service terms could render your agreement invalid.
To request a BAA from Google, simply sign into your Google Workspace account as an admin, and “opt-in” to the HIPAA BAA option like this:
- Click on your Company Profile
- Click Show More, then Legal & Compliance
- Click Review and Accept next to “HIPAA BAA”
- Answer the questions asked by Google
- Click I Accept
Step 2: Train Teams on Google Workspace HIPAA Compliance
Once you’ve signed your BAA with Google, you’ll need to ensure you configure Google Workspace for HIPAA compliance. This means you need to manage your people, processes, and technology effectively. I’d recommend starting with your people.
How your staff embraces secure practices when using Workspace applications, devices, and sharing data is crucial to ensuring continued compliance. Don’t just provide initial onboarding training on how to set passwords and use multi-factor authentication.
Set up a regular training cadence to refresh your team’s knowledge and keep them up to date on new threats and emerging regulatory guidelines. Update your training every time you introduce a new feature to Google Workspace, like Google Gemini.
Step 3: Implement Robust Access Controls
Access controls are critical to HIPAA compliance. Fortunately, Google’s admin console allows you to limit exactly who can access PHI, and what they’ll be able to do with it. Ideally, you’ll want to limit access to sensitive data as much as possible.
When fewer people can access your data, you’re much less likely to fall victim to data breaches caused by human error or phishing scams. Once you’ve implemented your access controls, implement multi-factor or two-factor authentication.
HIPAA guidelines recommend using two-factor authentication for systems containing electronic PHI, so it’s a great feature to implement. Additionally, ensure that all your team’s use devices are protected by the right security controls (like mobile phones).
Step 4: Implement Security Policies
Alongside access controls, you’ll need strong security policies throughout your organization to ensure Google Workspace is HIPAA compliant. As an administrator, dive into your policies and settings on Google Workspace and implement clear rules.
Look at your sharing settings; for instance, you might need to ensure that any PHI shared via email or another Google communication tool features a private or password-protected link. You’ll also need to be cautious about which apps and tools your teams can use alongside Google Workspace.
As mentioned above, the BAA agreement does not cover many Google features and external services. In your admin interface, you can control what apps and tools your teams can download and connect with Google Workspace, potentially reducing your risk.
Generally, it’s a good idea to restrict access to third-party apps, and whitelist specific apps that adhere to your HIPAA compliance guidelines.
Another point to consider is end-to-end encryption. Google does use TLS security to protect normal Gmail messages in transit, but TLS doesn’t guarantee complete security, because it depends on both the sender and the recipient of the email having the same encryptions in place.
You might consider using additional features, like Google’s Gmail Confidential Mode, to help minimize risks by setting expiration dates for messaging or revoking access when necessary.
Step 5: Monitor Account Activity
It’s difficult to know for certain if your team members are staying compliant with HIPAA guidelines without monitoring their workflows. Gaining visibility into account activity can help you to track both compliance issues and emerging security threats.
Google’s admin console will allow you to keep logs of authorized and unauthorized logins to any tools that might contain ePHI. You can also use the Google Workspace alert center to automatically configure notifications to be sent to team members when compliance breaches occur.
Make sure you’re paying close attention to any potential security breaches or compliance issues, and keep comprehensive reports you can share with investigators. Update your training resources if you encounter regular issues with non-compliance.
Is Google Workspace HIPAA Compliant? The Verdict
So, is Google Workspace HIPAA Compliant? It certainly can be, but no communication, productivity, or collaboration software will automatically ensure HIPAA compliance. If you’re going to use Google Workspace in your healthcare organization, you’ll need to take extra measures to ensure you’re adhering to HIPAA rules.
The good news is that Google Workspace is compatible with HIPAA compliance, and it generally makes enabling compliance quite easy. You can apply for a BAA with Google (although, remember, it doesn’t cover everything). You’ll also be able to implement comprehensive security and privacy controls, from end-to-end encryption, to two-factor authentication.
However, you’ll also need to ensure you’re training your team members to adhere to HIPAA guidelines, monitoring potential breach issues, and adhering to Google’s terms of service. For more tips on managing Google Workspace HIPAA compliance, visit this implementation guide.
Is Google Workspace HIPAA Compliant? FAQs
Are all Google Workspace accounts HIPAA compliant?
Google only signs business associate agreements with companies that purchase premium Google Workspace plans. Since you can’t access a BAA with a free version of Google Workspace, these accounts will not be HIPAA compliant. You’ll also need to ensure you’re implementing the right security controls for your account users.
Can I make my Gmail HIPAA Compliant?
Gmail, as a standalone free application, is not HIPAA compliant and doesn’t offer the most robust encryption options. However, Gmail as a Google Workspace solution can be made HIPAA compliant, provided you have a business associate agreement (BAA), and implement end-to-end encryption methods with all electronic mail.
Can I access a copy of my BAA with Google?
The HIPAA BAA you sign with Google is available via your admin console. You can produce a screenshot of your admin console and acceptance notification if you need to share this information with a regulator. Simply visit the Legal and Compliance section of your administrator account, from your Account Settings to view the agreement.
Are third-party applications covered by Google Workspace’s BAA?
Third-party apps from other vendors and add-ons for Google Workspace are not included in Google’s BAA. If you will be using other applications alongside Google Workspace, you’ll need to sign additional Business Associate Agreements with the vendors of these applications directly.
Is Google Workspace Voice HIPAA compliant?
Various Google Workspace apps, including Workspace Voice, Chat, and Meet, can be made HIPAA compliant, provided you sign a BAA with Google and use a paid version of Google Workspace. Free Google Workspace accounts are not covered by a BAA and may lack the additional security features needed for HIPAA compliance.
