2 min read

Is Google Workspace HIPAA compliant?

Kapua Iao December 18, 2023

HIPAA compliant email HIPAA Compliance

Google Workspace is a collection of cloud computing productivity and collaboration tools, software, and products developed by Google. Many healthcare organizations use the digital platform to connect and communicate with employees, patients, and other healthcare providers.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Google offers a BAA for Workspace and can be configured to be HIPAA compliant.

What is Google Workspace?

Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. The suite includes services such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, Google Keep, and others.

These tools are used by individuals, teams, and organizations to communicate, store, and manage data and documents, and collaborate on projects. While these services are typically free to use for individuals, Google Workspace has various enterprise (paid) features for businesses.

MORE INFO: Google & HIPAA compliance: The ultimate guide

Google Workspace privacy and security

Google prides itself on its cybersecurity and privacy features with both defensive and offensive tools automatically available to users. Such features, however, are not all HIPAA compliant, which is why Google created the Google Workspace and Cloud Identity HIPAA Implementation Guide. This informational handbook explains how to configure and use Workspace services to support HIPAA compliance.

Of course, there are limitations to the compliance capabilities of some of the services. We have already noted several issues related to Gmail and HIPAA compliant email. Knowing such issues and how to configure the services needed can be hard to navigate for some organizations.

LEARN ABOUT: Why Google Workspace and Microsoft 365 aren’t enough for complete HIPAA compliance

Is Google Workspace a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

Permitted uses and disclosures of PHI
Safeguards for protecting PHI
Reporting and mitigation of security incidents
Compliance with HIPAA regulations
Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Google Workspace and its ability to be HIPAA compliant. In the case of Google Workspace, the service would certainly fall into the category of business associate if it’s storing, processing, or transmitting PHI on its platform.

Google Workspace and the BAA

Google offers a BAA for Google Workspace, pointing out that the BAA covers Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice, Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault. According to Google, PHI is not permitted with Google Contacts.

Given the scope of HIPAA compliance and the need to secure PHI, three points must be made:

The BAA is not included by default and must be entered and signed by organizations.
Using a paid Google Workspace with a signed BAA does not automatically make an account HIPAA compliant.
Google’s BAA does not cover email sent or received in transit, which is an essential component of sending HIPAA compliant email.