2 min read

Is Looker HIPAA compliant? (2026 update)

Picture of Mara Ellis Mara Ellis January 11, 2022

HIPAA compliance
Looker logo

Looker is Google Cloud’s business intelligence and embedded analytics platform. It helps organizations explore, analyze, visualize, and share data through governed dashboards, reports, and data models.

Is Looker HIPAA compliant? Yes, Looker is HIPAA compliant.

 

What changed this year?

As of May 2026, our review did not identify any publicly disclosed changes to Looker’s HIPAA-related policies or BAA terms. Google’s current HIPAA guidance still says Google Cloud supports HIPAA compliance within the scope of a business associate agreement, and Google’s Looker HIPAA terms still state that Looker support depends on the covered services, customer configuration, and exclusions.

 

Will Looker sign a business associate agreement (BAA)?

Yes, Google will sign a business associate agreement for Looker. Google’s HIPAA compliance page states that Google will enter into BAAs with customers as necessary under HIPAA, while the Looker HIPAA implementation guidance says customers can request a BAA directly from their account manager.

 

What does the Looker BAA cover?

The Looker BAA covers certain Looker services under a Looker-hosted deployment. Google’s terms say the BAA covers Looker’s Services under a Looker Hosted Deployment.

Their BAA covers:

  • Looker services under a Looker-hosted deployment
  • Protected health information used within covered Looker services
  • Customer-managed access permissions and security controls
  • Customer-managed use of applications connected to Looker
  • Secure configuration responsibilities
  • Access controls, including row, column, or field-level data security
  • Security reviews of users, groups, permissions, roles, API keys, public links, and related controls
  • Database security controls, including least privilege and encrypted database connections

What does the Looker BAA exclude?

Looker’s BAA does not cover every service, feature, integration, or deployment scenario. Google excludes third-party services, insecure API integration tools, and services that are not generally available. Its terms specifically exclude any API Integration tool that is not secure and Any Services that are not generally available.

Google also places significant responsibility on the customer. The customer controls the deployment environment, service configuration, access permissions, connected applications, and whether users access protected health information through Looker. Google’s guidance also tells customers to disable or avoid services not covered by the BAA when working with protected health information.

 

Conclusion

Looker is HIPAA compliant, but only when the customer has a signed BAA with Google, uses covered Looker services, disables excluded services, and configures the platform according to HIPAA requirements.

Learn more: HIPAA Compliant Email: The Definitive Guide

 

FAQS

What is a BAA?

A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. The purpose of this agreement is to ensure the proper protection of PHI as required by HIPAA regulations. HHS explains that HIPAA generally requires covered entities and business associates to enter into contracts with business associates to ensure they appropriately safeguard PHI.

 

What is HIPAA?

HIPAA sets national standards for protecting the privacy and security of certain health information.

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

 

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity. HHS defines a business associate as a person or entity that performs certain functions or services for a covered entity involving access to protected health information.
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Presenter discussing the HITRUST Approach framework at a conference

HITRUST community extension program (CEP) in Tampa

Picture of Hoala Greevy Hoala Greevy : July 10, 2019

Mike Parisi (HITRUST) We flew in from San Francisco for a HITRUST Community Extension Program today in Tampa, Florida. It was sponsored by 360...

HIPAA compliance
Read More
iPhone home screen displaying various social media and communication apps

1 min read

Social media & HIPAA compliance: The ultimate guide

Amanda Larson : July 10, 2020

As more people flock to the internet to share their lives, social media sites are growing in popularity and in users. Naturally, many businesses,...

HIPAA compliance
Read More
Judge's gavel on a wooden block

HHS issues guidance on HIPAA and ERPOs

Sara Nguyen : January 15, 2022

The Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) released new guidance regarding how HIPAA compliant...

HIPAA compliance
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.