Is Google Workspace HIPAA Compliant? BAA, Eligible Plans, and Setup (2026)

Is Google Workspace HIPAA compliant? Yes, but only on eligible tiers, with the Google BAA signed, and only across the list of covered services. Healthcare startups and small clinics ship PHI through Gmail, Drive, Meet, and Calendar within hours of go-live. The marketing answer hides real conditions admins must configure.

This guide explains when Google Workspace is HIPAA compliant, which plans qualify for the Google Business Associate Agreement, which services are covered, and the configuration baseline to apply before a single PHI message lands in Gmail.

The Short Answer

Yes, Google Workspace is HIPAA compliant on eligible Business and Enterprise plans once the BAA is signed and the tenant is configured for HIPAA. Free Gmail and personal Google accounts are not. Google will not sign a BAA for them. Workspace Business Starter does not currently include the BAA in many regions, and even on eligible plans you must complete the BAA acceptance flow before PHI moves through any service.

So is Google Workspace HIPAA compliant out of the box? No. Any healthcare organization storing, transmitting, or processing PHI inside Google Workspace must restrict usage to in-scope services and harden the tenant from its defaults. The BAA is not a configuration. It is a contract. About 67% of HIPAA breaches in 2024 traced back to misconfigured cloud and email tenants per HHS OCR data, so the contract alone never carries you home.

✅ Key Takeaway

Google Workspace is HIPAA capable on eligible Business and Enterprise plans with the BAA executed. Compliance still needs service scoping, identity hardening, sharing controls, DLP, audit retention, and HIPAA-aligned device management.

Which Google Workspace Plans Are HIPAA Eligible?

Google offers the HIPAA BAA to commercial Workspace customers but excludes consumer Google accounts and some entry tiers. Most small clinics start at Business Standard, around $14 per user per month. Healthcare SaaS startups choosing between options often pick Business Plus at roughly $22 per user per month for Vault and advanced endpoint controls. Asking "is Google Workspace HIPAA compliant on Business Starter?" is a common trip-up, and the answer in many regions is still no.

The plans eligible for the HIPAA BAA in 2026:

| Plan | HIPAA BAA available | Notes | |------|---------------------|-------| | Workspace Business Starter | Limited | Available in some regions, restricted feature set | | Workspace Business Standard | Yes | Most common SMB plan with full BAA scope | | Workspace Business Plus | Yes | Adds Vault and advanced endpoint management | | Workspace Enterprise Standard | Yes | DLP, S/MIME, advanced compliance | | Workspace Enterprise Plus | Yes | Full compliance and security toolset | | Workspace for Education Fundamentals, Standard, Plus | Yes | Eligible when used by HIPAA-covered education | | Workspace Frontline | Yes | Lower-cost shift worker tier | | Personal Gmail / Google account | No | Not eligible for BAA, never use for PHI | | Workspace Individual | No | Single-user consumer tier, not BAA eligible |

If your small practice has a mix of consumer and Workspace accounts, the consumer accounts must never carry PHI. Migrate users to Workspace. Sign the BAA. Enforce identity policies that prevent personal account sign-in inside the corporate browser profile. Then ask "is Google Workspace HIPAA compliant for this user now?" and re-validate every safeguard before reopening access.

How the Google HIPAA BAA Works

Google publishes a standard HIPAA BAA available through the Workspace Admin console. There is no negotiation phase for typical customers. A super admin reviews the agreement, accepts it on behalf of the organization, and the BAA becomes part of the Workspace contract.

Google's HIPAA documentation, including the HIPAA Implementation Guide for Google Workspace, lists current obligations and in-scope services. After the BAA is in place, Google commits to:

Implement administrative, physical, and technical safeguards aligned with the HIPAA Security Rule.
Report breaches of unsecured PHI within agreed timelines.
Use PHI only as permitted under HIPAA and the BAA.
Subject covered services to HIPAA-aligned audits and certifications.

⚠ Warning

Signing the Google BAA does not relieve the covered entity of HIPAA Security Rule obligations. You still own user training, configuration, access reviews, audit log retention, and breach response. The BAA only governs Google's role as a business associate.

In-Scope Google Workspace Services

The HIPAA BAA covers most flagship Google Workspace services in 2026. Confirm the current list inside the Admin console before scoping a workflow, but typical coverage includes:

Gmail.
Google Drive (and Shared Drives).
Google Docs, Sheets, Slides, Forms, Sites.
Google Calendar.
Google Meet (including telehealth-suitable meetings on eligible plans).
Google Chat and Spaces.
Google Tasks and Keep.
Google Vault (eDiscovery and retention).
Google Voice for Workspace (Standard and Premier on eligible plans).
Apps Script (with restrictions).
Cloud Search.

Services that are not in scope or that require explicit opt-out controls include:

Third-party Marketplace apps unless individually covered by their own BAA.
Google Workspace integrations with non-Google products that route data outside the tenant.
Some optional or preview features in Labs settings.
Personal Google service equivalents accessed from a corporate device.

If a workflow requires a service that is not BAA covered, either rebuild it inside covered services or treat the third-party vendor as a separate business associate and sign a BAA with them directly.

How to Configure Google Workspace for HIPAA Compliance

A default Workspace tenant fails a HIPAA audit. Use the following baseline as a starting checklist for 2026.

1. Identity and Access

Enforce 2-Step Verification for every user (require security keys or Google Authenticator app, not SMS).
Disable less secure app access at the org level.
Use Context-Aware Access to restrict sign-in by IP, device, and location.
Block personal Google account sign-in from the managed browser profile.
Apply the Advanced Protection Program for clinical leadership and admins.

Set Drive and Shared Drives sharing default to "Off – only internal users".
Disable link sharing or restrict to allow-listed domains.
Block downloading and copying for files marked as PHI.
Require warnings when users share externally even when allowed.

3. Enable DLP for HIPAA Identifiers

Configure Workspace DLP rules that detect PHI patterns, including US Social Security numbers, medical record numbers, and ICD codes.
Block external sharing of files matching PHI rules.
Block outgoing Gmail messages containing PHI to external recipients without encryption.
Quarantine messages flagged by DLP for admin review.

4. Encrypt Email Containing PHI

Use Gmail S/MIME on eligible plans for encrypted email with healthcare partners.
Apply Gmail confidential mode for messages containing PHI to non-Workspace recipients.
Use TLS-only delivery rules for known healthcare partner domains.
Disable auto-forwarding to external recipients tenant-wide.

5. Configure Vault and Audit Retention

Enable Google Vault and apply retention rules of at least six years for Gmail, Drive, Chat, and Meet.
Set litigation holds for users involved in breach investigations.
Forward audit logs to a SIEM or Chronicle for tamper-evident retention.

6. Manage Endpoints

Enroll all devices accessing PHI in Endpoint Management (Advanced or Enterprise tier).
Require device encryption, screen lock, minimum OS version, and account-level remote wipe.
Apply BeyondCorp Enterprise (on Enterprise Plus) to enforce zero-trust access.

7. Govern Google Meet for Healthcare

Restrict meeting joins to authenticated users only for sessions involving PHI.
Disable anonymous join for clinical workspaces.
Apply retention rules to Meet recordings and transcripts.
Disable lobby bypass for external participants where PHI may be discussed.

Common HIPAA Mistakes Inside Google Workspace

| Mistake | Risk | Fix | |---------|------|-----| | Personal Gmail used for clinical work | Unprotected PHI outside the BAA | Block personal accounts in managed browser, issue Workspace seat | | Drive sharing defaults left "Anyone with the link" | Anonymous PHI exposure | Restrict sharing default to "Specific people" | | External auto-forwarding enabled | PHI exfiltration through phishing or insider | Block external forwarding tenant-wide | | No DLP applied to PHI patterns | Undetected sharing or leakage | Enable DLP rules with HIPAA template | | Meet recordings stored without retention rules | PHI sitting indefinitely in Drive | Apply Vault retention to Meet recordings | | Marketplace apps installed without BAA | Third-party apps processing PHI outside scope | Restrict Marketplace install to admin-approved list | | Personal mobile devices accessing Drive | Unmanaged endpoints holding PHI | Enroll in Advanced Endpoint Management with compliance gates |

For broader HIPAA risk coverage, follow our HIPAA security rule safeguards checklist and the HIPAA risk assessment framework.

Google Workspace vs Microsoft 365 for HIPAA

Most healthcare organizations end up choosing between these two. The decision usually depends on existing infrastructure, admin maturity, and budget for compliance tooling at higher tiers.

| Factor | Google Workspace | Microsoft 365 | |--------|------------------|---------------| | HIPAA BAA | Yes, Business Standard and up | Yes, Business Basic and up | | Setup speed | Faster | Slower, more configuration | | Admin depth | Lighter, simpler | Deeper, more granular | | DLP for HIPAA | Strong from Business Standard | Strongest at E3 and E5 | | Endpoint management | Advanced and Enterprise tier add-on | Intune deep, native | | Telehealth | Google Meet works for many practices | Teams strong for hybrid hospital systems | | Best fit | Cloud-native startups, ambulatory clinics | Hospitals, hybrid environments, regulated enterprises |

If you are mid-evaluation, our paired guide on is Microsoft 365 HIPAA compliant walks through the same questions on the Microsoft side.

What the BAA Does Not Cover

The Google BAA explicitly excludes:

Personal Google accounts (Gmail.com, etc.).
Google services not listed in the in-scope Workspace services.
Third-party Marketplace apps without their own BAA.
Workspace Individual.
Some preview or Labs features.

Always confirm the current covered services list inside the Workspace Admin console under Account, Compliance, HIPAA, before allowing PHI to flow through a feature.

How to Sign the Google Workspace BAA

For most commercial Workspace customers in 2026, the BAA is accepted through the Admin console:

Sign in to admin.google.com as a super administrator
Go to Account > Account settings > Legal and compliance
Select Security and Privacy Additional Terms
Open the HIPAA Business Associate Amendment
Review and accept the BAA on behalf of the organization
Save the confirmation email and store it with your HIPAA documentation

For organizations on a Google reseller contract or an enterprise agreement, the BAA may be incorporated into the master agreement. Confirm with your account representative.

Frequently Asked Questions

Is Google Workspace HIPAA compliant by default?

No. Google Workspace is HIPAA capable on eligible Business and Enterprise plans, but the BAA must be accepted and the tenant must be configured with identity, sharing, DLP, retention, and device controls aligned to HIPAA before PHI is allowed.

Is regular Gmail HIPAA compliant?

No. Personal Gmail (gmail.com) and other consumer Google accounts are not eligible for the HIPAA BAA. Healthcare organizations must use Google Workspace or another BAA-covered email platform.

Is Google Workspace Business Starter HIPAA compliant?

In some regions Google now extends BAA coverage to Business Starter, but feature gaps (no Vault, limited storage, no advanced DLP) make it a poor fit for most healthcare organizations. Business Standard is the practical minimum for HIPAA-aligned operation.

Is Google Meet HIPAA compliant for telehealth?

Yes, when the tenant is on an eligible plan with the BAA in place, anonymous join is disabled, recordings have retention applied, and clinical meetings restrict joins to authenticated users.

Does the Google BAA require an additional fee?

No. The Google Workspace HIPAA BAA is offered at no additional charge to eligible commercial customers.

Does Google Workspace meet HIPAA's audit log requirement?

Google Workspace generates audit logs for admin, user, login, Drive, Gmail, and Meet activity. To meet HIPAA's six-year documentation retention, enable Google Vault and configure retention rules.

Can clinicians use the Google Workspace mobile app for PHI?

Yes, on a mobile device enrolled in Endpoint Management with required compliance settings. Personal devices that are not enrolled should not access PHI.

Final Word

So is Google Workspace HIPAA compliant in production? It can be. It is a strong HIPAA-capable platform for cloud-native healthcare startups and small clinics. But the BAA is one piece of a larger picture. Without configuration of identity, sharing, DLP, retention, and endpoints, the tenant is not HIPAA compliant in any meaningful sense. Treat Google Workspace like any other in-scope cloud service. Scope it. Sign the BAA. Configure it. Document the configuration. Review the outcome at least quarterly.

If you are an SMB or healthcare startup starting a new build, pair this guide with our HIPAA compliance for SaaS startups primer, the HIPAA business associate agreement checklist, and the HIPAA training requirements framework. For small practices choosing between suites, also see is Microsoft 365 HIPAA compliant for the side-by-side decision.