Is Google Workspace HIPAA Compliant for Medical Clinics?

Short answer

Google Workspace can be configured for HIPAA-covered use, but it requires the admin to explicitly accept the HIPAA Business Associate Amendment and apply a set of admin controls. Google’s BAA covers specific services within Workspace. It does not cover every Google product, every Workspace feature, or any third-party app the clinic installs. The default configuration of Google Workspace is not HIPAA-safe.

How to accept the Google Workspace BAA

1. Sign in to the Google Admin Console using a super administrator account.
2. Navigate to Account > Account Settings > Legal.
3. Find the HIPAA Business Associate Amendment and accept it.
4. Record the date of acceptance and the admin who accepted it as part of the clinic’s vendor management documentation.

This step must be completed before any PHI is created, stored, or transmitted through any covered Workspace service.

What is covered

Google’s HIPAA implementation guide identifies the core Workspace services covered under the BAA. At the time of writing, these have included:

• Gmail (Exchange of email using Google’s servers)
• Google Drive (file storage and collaboration)
• Google Docs, Sheets, Slides
• Google Forms
• Google Calendar
• Google Meet
• Google Chat (in covered configurations)
• Google Sites (in certain configurations)
• Google Vault (for archiving and e-discovery)

Verify the current list against Google’s published HIPAA implementation guide, as coverage can change when new features are added or when Google updates its service terms.

What is not covered

Google explicitly excludes certain products and features from BAA coverage. These have included:

• Google Workspace Marketplace add-ons. Any third-party app installed from the Marketplace accesses Workspace data outside Google’s BAA scope. A separate assessment and BAA with the add-on vendor is required.
• Certain Gemini AI features. AI-generated content features integrated into Docs, Gmail, and other Workspace apps may fall outside the BAA if they rely on AI processing that Google has not included in covered services. Verify against current Google guidance before enabling AI features in a PHI-adjacent environment.
• Personal Google accounts. Staff who sign in with personal @gmail.com accounts rather than their Workspace accounts are not covered.
• Google Consumer products. Google Photos, personal Drive, and other consumer Google services are not covered.

Required admin configuration

Accepting the BAA is the first step. The clinic’s admin must also apply controls across the Workspace environment:

• Restrict external sharing in Drive. Prevent files from being shared outside the organization without explicit control. Disable link-sharing that allows unauthenticated access.
• Configure organizational units. Apply different sharing and access policies to groups that handle PHI versus administrative staff with no PHI exposure.
• Enable audit and investigation tools. Google Workspace includes Admin Reports and Audit logs. Configure these to retain activity logs for the period required by the clinic’s retention policy.
• Enforce 2-Step Verification. All accounts with PHI access must require multi-factor authentication.
• Review Google Meet recording settings. Recordings must save to organization-controlled Drive locations with appropriate access restrictions.
• Audit and control Calendar sharing. Patient appointment information in Calendar titles or descriptions may constitute PHI.

The product fit question

Google Workspace is a general-purpose productivity suite. It handles email, documents, calendar, and video — all useful in a clinic. What it does not handle is the structure a HIPAA compliance program requires: task accountability tied to specific staff, policy attestation records, incident tracking, risk assessment documentation, and training completion logs.