HIPAA & BAA · Cloud infrastructure
Is Google Cloud Platform HIPAA compliant?
Yes, with conditions. Google Cloud will enter a BAA, accepted self-service by an admin, covering its infrastructure and a defined list of Covered Products; PHI must be restricted to those covered products and properly configured.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Available to Google Cloud customers; an admin reviews and accepts the Google Cloud BAA (self-service). The BAA covers Google Cloud's infrastructure plus a defined list of Covered Products.
- Official source: Google Cloud — HIPAA Compliance — https://cloud.google.com/security/compliance/hipaa (verified 2026-06)
How to use Google Cloud Platform in a HIPAA-compliant way
- Have an admin review and accept the Google Cloud BAA (per Google's 'Privacy compliance and records for Google Cloud' instructions) before processing PHI.
- Limit PHI to the BAA's Covered Products list and avoid non-covered products and Pre-GA offerings for PHI.
- Apply IAM least privilege, default encryption, and export audit logs (e.g., to Cloud Storage and BigQuery).
- Keep PHI out of resource names, labels, metadata, and logs.
- Document your HIPAA risk analysis and retain the accepted BAA.
Important caveats
- Only Covered Products are in scope; non-covered and Pre-GA products must not be used with PHI.
- Accepting the BAA does not configure security for you — IAM, logging, and safeguards are your responsibility.
- Compliance is a shared responsibility; there is no official HHS HIPAA certification.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Google Cloud Platform correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Google Cloud Platform.
Frequently asked questions
Does Google Cloud Platform sign a BAA?
Yes. Available to Google Cloud customers; an admin reviews and accepts the Google Cloud BAA (self-service). The BAA covers Google Cloud's infrastructure plus a defined list of Covered Products. A signed BAA is required before any PHI is involved.
Is Google Cloud Platform HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Google Cloud Platform offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Google Cloud Platform with PHI?
Only Covered Products are in scope; non-covered and Pre-GA products must not be used with PHI.