HIPAA & BAA · AI / LLM
Is Google Gemini HIPAA compliant?
Conditionally. Gemini for Workspace is covered under the Google Workspace HIPAA BAA when you are on an eligible edition and have executed the BAA; consumer/standalone Gemini is not covered.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Eligible Google Workspace edition with executed Workspace BAA
- Official source: Google Workspace — HIPAA Business Associate Amendment — https://workspace.google.com/terms/2015/1/hipaa_baa/ (verified 2026-06)
How to use Google Gemini in a HIPAA-compliant way
- Confirm your Google Workspace edition is listed as HIPAA-eligible in Google's HIPAA Implementation Guide.
- Accept/execute the Google Workspace HIPAA BAA via the Admin console.
- Verify Gemini for Workspace features are within the BAA-covered 'Included Functionality'.
- Restrict PHI use to covered Core Services and configure controls per the Implementation Guide.
- Avoid PHI in non-covered surfaces (e.g., Gemini in Chrome, third-party add-ons).
Important caveats
- Coverage flows from the Workspace BAA — the consumer Gemini app and standalone Gemini are NOT covered.
- Gemini in the Chrome browser sidebar operates outside the Workspace BAA and is excluded.
- Third-party add-ons and non-Core services are not part of the Included Functionality.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Google Gemini correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Google Gemini.
Frequently asked questions
Does Google Gemini sign a BAA?
On specific plans. Eligible Google Workspace edition with executed Workspace BAA A signed BAA is required before any PHI is involved.
Is Google Gemini HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Google Gemini offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Google Gemini with PHI?
Coverage flows from the Workspace BAA — the consumer Gemini app and standalone Gemini are NOT covered.
