Is Google Workspace HIPAA Compliant?
Google Workspace is HIPAA compliant for services that have “covered functionality”, provided HIPAA-covered organizations subscribe to a Workspace Plan that supports HIPAA compliance and configure the services to comply with the HIPAA Security Rule. To make Google Workspace HIPAA compliant, it is also necessary to agree to Google’s Business Associate Addendum (BAA) to the Terms of Service Agreement.
Google Workspace – formally known as G Suite – is a collection of productivity and communication services. The services can be used independently or integrated with each other to streamline workflows and enhance collaboration. Workspace is a popular choice for organizations in the healthcare industry because most users already have experience of services such as Gmail and Drive. Most other Workspace services have familiar controls and are intuitive to use.
However, most organizations in the healthcare industry are required to comply with HIPAA. HIPAA is a federal law which led to the development of privacy and security standards for “Protected Health Information” (PHI). The standards govern how PHI can be used and disclosed, and what measures must be put in place to protect the confidentiality, integrity, and availability of PHI created, collected, maintained, or transmitted electronically.
In the context of the question is Google Workspace HIPAA compliant, it is important that – when PHI is created, collected, maintained, or transmitted by Workspace services – the services have controls in place to support HIPAA compliance with the security standards, the controls are configured to comply with all applicable implementation specifications, and that members of the workforce are trained on how to use the services compliantly.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Which Workspace Plans Supports Compliance?
Excluding the personal (free) and “solopreneur” editions of Workspace, there are nine subscription plans that, in theory, could support HIPAA compliance depending on the nature of an organization’s operations and tax status. In practice, covered organizations with fewer than 300 users will likely opt for one of the three Business plans, while larger organizations – or organizations with complex requirements – will opt for one of the three Enterprise plans.
All the Business and Enterprise plans contain the same “core services”, but with different levels of functionality. For example, organizations subscribing to a Business “Starter” or Business “Standard” plan will only has access to basic endpoint management capabilities, while those subscribing to a Business “Plus” or any Enterprise plan will be better positioned to manage security on personal and corporate mobile devices. A risk assessment should help identify which plan is most suitable.
However, although all the Business and Enterprise plans support compliance, it is important to be aware that not every Google core service included in or connected to a plan can be used in compliance with HIPAA. Google recommends restricting user access to core services without “covered functionality” (i.e., Google Contacts) and disabling access to all non-core services not covered by the Workspace Service Agreement (i.e., Google Photos, Blogger, YouTube, etc.).
With regards to restricting user access to Google Contacts, the recommendation will affect the functionality of other HIPAA compliant Workspace services. Therefore, we suggest ignoring Google’s recommendation. Instead, administrators should implement a policy prohibiting PHI being stored in Google Contacts and monitoring compliance with the policy via the Security Center. (Note: Names and contact details are NOT PHI when maintained separately from health information – see “What is Considered PHI under HIPAA?” for a full explanation).
Which Services have Covered Functionality?
The Workspace services that can be configured to be used in compliance with HIPAA and that are covered by the Google Workspace HIPAA compliant BAA are currently:
| Google Workspace Services with Covered Functionality | ||
| Google Calendar | Google Forms | Google Keep |
| Google Chat | Gemini AI for Workspace | Google Meet |
| Cloud identity | Gmail | Google Sites |
| Google Drive | Google Cloud Search | Google Tasks |
| Google Docs | Google Groups | Google Vault |
| Google Sheets | Google Voice | Jamboard |
| Google Slides | ||
To configure these services in compliance with HIPAA, it is advisable to follow the guidance in Google’s HIPAA Implementation Guide. The guidance will not be suitable for every covered entity and business associate because it may be necessary to (for example) integrate a third party app with a Google service. This element of guidance will have to be circumnavigated if the default guidance is not to allow access by third party apps.
Covered entities and business associates that encounter issues with configuring covered Workspace services should be able to take advantage of Google’s customer support channels depending on the subscription. The Admin Help pages are also very good for resolving technical issues. For HIPAA-related issues, it is probably more beneficial to seek accurate and timely advice from an external HIPAA compliance expert.
The Google Workspace HIPAA Compliant BAA
Before any Workspace service is used to create, collect, store, or transmit PHI, it is necessary to agree to Google’s Business Associate Addendum (BAA). The Google Workspace HIPAA compliant BAA is an extension of the Terms of Service Agreement and is relatively straightforward. There are no contentious clauses that may cause further issues. In most cases it is possible for Super Administrators to digitally sign the Addendum via the Admin console.
However, before digitally signing the Google Workspace BAA, it is important Administrators review the Terms of Service Agreement. While the entire agreement should be reviewed, Administrators are advised to pay careful attention to the Customer Obligations in Clause #3, which:
- Prohibits the storage and transmission of PHI without a signed BAA,
- Makes customers responsible for end user compliance with the Agreement,
- Requires customers to prevent and terminate unauthorized use of Workspace, and
- Requires customers to notify Google of any unauthorized use of, or access to, a Workspace account (including compromised passwords).
A failure to comply with the Terms of Service Agreement could result in suspension of the account and the removal of content – regardless of compliance with the Google Workspace HIPAA compliant BAA. If this happens to a Workspace account in which PHI is stored, it will not only result in an operational disruption, but also in a HIPAA violation for failing to ensure the availability of the removed PHI.
Why Provide Training on How to Use Gmail?
Google is not unique in having compliance clauses in both its Terms of Service Agreement AND in its Business Associate Agreement. Most software providers do the same. However, many workplace members will already have personal Google accounts. Some will use their accounts with little consideration for the privacy and security of information received, stored, and shared. (You can check this theory by asking how many users have 2FA enabled on their personal accounts).
Using Gmail and other Workspace services in compliance with HIPAA is different from using the same services for personal use. To ensure the privacy and security of PHI, workforce members should be trained on permissible disclosures, the minimum necessary standard, and verifying the identity of unknown correspondents who request PHI. It is essential they are also trained on reporting malware, phishing emails, and other threats to the security of PHI.
With regards to what has previously been discussed, it is important that members of the workforce are told not to save PHI with contact information, not to import files from non-covered services (i.e., Google Photos), and not to export files to non-covered services (i.e., Blogger). Even when access to these services has been disabled, inventive workforce members can often find ways to circumnavigate controls to “get the job done”.
Is Google Workspace HIPAA Compliant? Conclusion
It may appear as if there are a lot of hurdles to overcome in order to make Google Workspace HIPAA compliant. However, they are not insurmountable – and the benefits are more than worthwhile. Not only can covered entities and business associates in the healthcare sector share PHI compliantly to streamline workflows and enhance collaboration, but they can also better communicate with patients via a range of chat, phone, and video communication tools.
If you would like to find out more about using Google Workspace in your healthcare environment, Google offers a free 14 day trial for up to ten users. This should be long enough for Administrators to configure covered services in compliance with the Security Rule’s implementation specifications and to identify any user issues that may materialize as a result. If, during the free trial, you encounter HIPAA-related issues, you will also have time to speak with a HIPAA compliance expert before committing to a subscription.
