HIPAA & BAA ยท Forms
Is Google Forms HIPAA compliant?
Conditionally. Google Forms has no standalone BAA; it is covered only as a Core Service within a Google Workspace BAA on an eligible paid plan.
Key facts
- BAA available: Conditionally โ on specific plans
- What it takes: Paid Google Workspace plan with the Google BAA accepted (Forms is a covered Core Service)
- Official source: Google Workspace Admin Help: HIPAA Compliance with Google Workspace โ https://support.google.com/a/answer/3407054 (verified 2026-06)
How to use Google Forms in a HIPAA-compliant way
- Use a paid Google Workspace edition (not a free/consumer Google account).
- As super admin, accept Google's HIPAA BAA in Admin console > Account settings > Legal and compliance.
- Confirm Google Forms is in scope via Google's HIPAA Included Functionality list (Forms is a covered Core Service).
- Restrict PHI use to covered Core Services and disable non-covered add-ons/third-party apps.
- Configure access controls and train staff before collecting PHI.
Important caveats
- There is no Google Forms BAA by itself; coverage exists only under the Workspace BAA.
- Third-party apps and add-ons are NOT covered by the BAA, even if connected to Forms.
- Consumer/free Google accounts cannot get a BAA and must not be used for PHI.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Google Forms correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Google Forms.
Frequently asked questions
Does Google Forms sign a BAA?
On specific plans. Paid Google Workspace plan with the Google BAA accepted (Forms is a covered Core Service) A signed BAA is required before any PHI is involved.
Is Google Forms HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Google Forms offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Google Forms with PHI?
There is no Google Forms BAA by itself; coverage exists only under the Workspace BAA.
