Is Google Workspace HIPAA compliant? (2025 update)

Google Workspace, formerly known as G Suite, is a cloud-based suite of productivity and collaboration tools that includes Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, Google Keep, and more.

With Google Workspace, individuals, teams, and organizations can communicate, store data, manage documents, and collaborate in real time. However, while these tools support efficient workflows across many industries, healthcare organizations must ensure that their use of Google Workspace meets HIPAA requirements when handling protected health information (PHI).

Is Google Workspace HIPAA compliant? Yes, based on our research, Google Workspace can be HIPAA compliant.

Will Google Workspace sign a business associate agreement (BAA)?

Yes, Google Workspace will sign a business associate agreement, which can be reviewed here.

What does the Google Workspace BAA cover?

The Google Workspace BAA covers the use and disclosure of protected health information (PHI), stating, “All users can access this subset of Core Services for use with PHI under the BAA as long as the health care organization configures those services to be HIPAA compliant: Gmail, Calendar, Drive, Gemini for Google Workspace, Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice, Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.”

What does the Google Workspace BAA exclude?

While Google Workspace can be used in a HIPAA compliant manner, there are limitations, and signing the BAA does not make Google Workspace fully HIPAA compliant on its own. The main issue lies in email encryption. Although Gmail attempts to use TLS to secure emails in transit, the connection isn’t always secure if the recipient’s server doesn’t support TLS. In such cases, Gmail may deliver the message unencrypted—a clear risk for organizations handling PHI. Google does offer a setting to enforce TLS, but this can result in bounced emails if the recipient’s server doesn’t comply, disrupting communication.

Additionally, Google Workspace supports older versions of TLS, like 1.0 and 1.1, which are no longer considered secure. This poses another challenge for organizations trying to maintain HIPAA compliance.

Conclusion

Google Workspace may be HIPAA compliant, but only when configured correctly.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain heath information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.