Is Google Gemini HIPAA Compliant for Medical Clinics?

Verdict: Conditional for Workspace Enterprise; No for consumer

Google Gemini has two distinct compliance profiles depending on how it is accessed. Consumer Gemini — at gemini.google.com, including Gemini Advanced — has no BAA path and is not suitable for PHI. Gemini integrated into Google Workspace can be covered under the Workspace BAA for qualifying enterprise tiers, but requires specific configuration and active confirmation of covered-services status.

Consumer Gemini: a hard no

The consumer Gemini product operates under Google’s general terms of service. Google does not offer a Business Associate Agreement for this product. A clinic staff member who types patient information into gemini.google.com — even to draft a care note or summarize a chart — is transmitting PHI to a system without a BAA. This is a HIPAA violation regardless of intent.

Google Workspace and Gemini

Google offers a BAA for Workspace at qualifying tiers. The BAA covers specific Workspace services — not all Google products. When Gemini features are integrated into Workspace (such as Gemini in Gmail, Docs, or Meet), their coverage under the BAA depends on:

1. The Workspace tier (generally Enterprise Plus or with a Gemini for Workspace add-on)
2. Whether Gemini is listed as a covered service in the BAA version currently in effect
3. Whether the organization has disabled AI model training on its data

Google’s HIPAA implementation guide for Workspace documents the process for confirming the BAA and identifying covered services. Clinics must review that documentation and confirm Gemini’s current status, since Google updates its covered-services list as products evolve.

AI training, data use, and PHI coverage

Three questions a clinic must answer before any staff member uses a Gemini feature:

(a) Is AI training on your data on by default? For consumer Gemini accounts (gemini.google.com, Gemini Advanced), Google’s standard terms permit use of conversations to improve its AI models. There is no opt-out that produces a BAA, so consumer Gemini is off-limits entirely. For Google Workspace Enterprise accounts, AI model training on customer data is turned off by default under the enterprise terms — but only if the Workspace tenant is correctly provisioned as a commercial enterprise account, not a consumer or education account.

(b) How to disable it? For Google Workspace Enterprise, navigate to the Google Admin Console and confirm that the “AI model improvement” or “Gemini AI improvement” setting is disabled at the organizational unit level. Google’s HIPAA implementation guide for Workspace documents the specific admin controls. This is an organization-level control — individual user settings are insufficient.

(c) Are prompts containing PHI covered by the BAA? Prompts submitted through Gemini features that are listed as covered services under the Google Workspace BAA — such as Gemini in Gmail, Docs, or Meet — are covered when the account is on a qualifying Enterprise tier and the BAA is active. Prompts submitted through consumer Gemini surfaces, including gemini.google.com and Gemini Advanced, are not covered by any BAA regardless of the organization’s Workspace tier.

What staff must understand

A signed BAA and correct configuration reduce legal exposure. They do not substitute for staff judgment. Clinic personnel need clear guidance on:

• which Workspace features are covered under the BAA
• which AI-powered features remain off-limits (typically those not on Google’s current covered-services list)
• how to recognize when a task requires a clinically scoped tool rather than a general AI assistant

Recommended approach

Clinics already on Google Workspace Enterprise should work through Google’s HIPAA implementation guide, confirm Gemini’s coverage status, and train staff before any clinical prompting. Clinics not on a qualifying Workspace tier should not use any Gemini feature for PHI.