25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is G Suite HIPAA Compliant?

Posted By on Feb 3, 2025

G Suite is HIPAA compliant provided organizations subscribe to a Google Workspace Business Account that includes the capabilities to support HIPAA compliance and provided the capabilities are configured to support compliance with HIPAA. It will also be necessary for a system administrator to agree to Google’s Business Associate Addendum to the Service Agreement.

Note: The name of G Suite was changed to Google Workspace in 2020. As many people still refer to Workspace under its former name, this article has been updated to reflect the changes since 2020 while still maintaining G Suite references. In June 2022, any organizations still using the former free G Suite legacy edition were migrated to a paid-for Google Workspaces subscription.

Making G Suite HIPAA Compliant (by default it isn’t)

When an organization subscribes to a G Suite (Workspace) account, there are four options to choose from. These start with the feature limited Business Starter Plan and go up to the G Suite Enterprise Plan. The choice of options depends on whether G Suite services will be used to create, collect, store, or transmit PHI and what G Suite compatible security and management tools are already in place.

If G Suite is not going to be used to create, collect, store, or transmit PHI, it is not necessary to make G Suite HIPAA compliant. If the services are going to be used in connection with PHI, but G Suite compatible security and management tools are already in place, it may be possible for an organization to subscribe to a feature limited plan. However, in most cases, organizations have to subscribe to an Enterprise Plan to access the capabilities required to make G Suite HIPAA Compliant.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Obtain a BAA from Google

Like most other large software companies, Google does not sign individual organizations’  Business Associate Agreements. Instead, Google requires covered entities and business associates subject to HIPAA to agree to its HIPAA Business Associate Addendum to the G Suite (Workspace) Service Agreement. The HIPAA Business Associate Addendum can be found in the account settings menu.

The HIPAA Business Associate Addendum must be reviewed and “signed” by a member of the organization’s workforce with super administrators privileges before any service covered by the Addendum is used to create, collect, store, or transmit PHI. Using any service in connection with PHI before agreeing to the terms of the HIPAA Business Associate Addendum is both a violation of Google’s Service Agreement and a violation of HIPAA.

Not All Google Services are Covered by the BAA

It is important to be aware that not all Google services are covered by the BAA – especially those in the Google Workspace Marketplace. If an organization wants to use any Google services not covered by the BAA it will be necessary to develop workplace policies prohibiting members of the workforce from using these services to create, collect, store, or transmit PHI.

With regards to using services, add-ons, and extensions in the Google Workspace Marketplace, if any of these services are going to be used in connection with PHI, it will be necessary to enter into a BAA with the service vendor. If it is not possible to enter into a BAA with the service vendor, the service cannot be used to create, collect, store, or transmit, PHI.

What Services in G Suite are HIPAA Compliant?

At the time of this update, the following services of G Suite have the “HIPAA Adde Functionality” required to make G Suite HIPAA compliant:

  • Gmail (Not free Gmail accounts)
  • Calendar
  • Drive (including Docs, Sheets, Slides, and Forms)
  • Duet AI for Workspace
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Chat
  • Google Meet
  • Google Voice (managed users only)
  • Google Cloud Search
  • Cloud Identity Management
  • Google Grous
  • Google Tasks
  • Vault
  • App Sheet

Configure Access Controls

Before G Suite can be used with any PHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.

You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.

Set Device Controls

HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals.

A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.

Google Drive

In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet. Drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.

Gmail

Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.

G Suite HIPAA Compliance is the Responsibility of Users

Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to provide adequate training in order to ensure that the requirements of HIPAA are satisfied.

Google helps healthcare organizations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more