HIPAA & BAA · Email & productivity
Is Google Workspace HIPAA compliant?
Conditionally. Google Workspace can be used in a HIPAA-compliant way once a super admin accepts Google's HIPAA Business Associate Amendment in the Admin console and the included services are configured correctly; the free consumer Gmail product is not eligible.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Any paid Google Workspace or Cloud Identity plan; a super administrator must review and accept the HIPAA Business Associate Amendment in the Admin console (Account > Account settings > Legal and compliance).
- Official source: Google Workspace Admin Help — HIPAA Compliance — https://support.google.com/a/answer/3407054 (verified 2026-06)
How to use Google Workspace in a HIPAA-compliant way
- Confirm you are on a paid Google Workspace plan (the free/consumer Gmail product cannot be used for PHI).
- Sign in as a super administrator and accept the HIPAA Business Associate Amendment under Account > Account settings > Legal and compliance.
- Restrict PHI to Google's designated 'Included Functionality' services and disable non-covered services and third-party add-ons.
- Configure access controls, 2-step verification, sharing restrictions, DLP, and audit logging; train staff on approved use.
- Retain a copy of the accepted BAA and perform your own HIPAA risk assessment.
Important caveats
- The BAA only covers Google's specified 'Included Functionality' services; many add-ons, Marketplace apps, and some Gemini/AI features fall outside it.
- Accepting the BAA does not configure the environment for you — correct admin configuration and your own safeguards are still required.
- Consumer Gmail and any non-managed/free account is never covered.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Google Workspace correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Google Workspace.
Frequently asked questions
Does Google Workspace sign a BAA?
On specific plans. Any paid Google Workspace or Cloud Identity plan; a super administrator must review and accept the HIPAA Business Associate Amendment in the Admin console (Account > Account settings > Legal and compliance). A signed BAA is required before any PHI is involved.
Is Google Workspace HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Google Workspace offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Google Workspace with PHI?
The BAA only covers Google's specified 'Included Functionality' services; many add-ons, Marketplace apps, and some Gemini/AI features fall outside it.