Is G Suite HIPAA Compliant?

by

G Suite, now branded as Google Workspace, can support HIPAA compliance when a HIPAA Covered Entity or Business Associate signs Google’s Business Associate Addendum, limits use to Google services with HIPAA included functionality, and configures those services to meet HIPAA Security Rule requirements for electronic protected health information.

G Suite And Google Workspace Terminology

G Suite refers to the prior branding for Google Workspace. HIPAA compliance evaluation should be performed against the current Google Workspace subscription, the executed Business Associate Addendum, and the set of services authorized for protected health information within that agreement.

Business Associate Addendum Requirement

A signed Business Associate Addendum is required before protected health information is created, received, maintained, or transmitted in Google Workspace services. Organizations that have not signed the Business Associate Addendum should not use Google Workspace or Cloud Identity services to handle protected health information.

The Business Associate Addendum establishes Google’s obligations as a Business Associate for covered services. The customer organization remains responsible for administrative controls, configuration, and workforce compliance.

Services With HIPAA Included Functionality

Protected health information may be used only in Google Workspace services identified by Google as having HIPAA included functionality under the Business Associate Addendum scope.

Covered services commonly used in healthcare include Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, Google Chat, Google Groups, Google Forms, Google Sites, Google Vault, Google Voice, Google Tasks, Google Cloud Search, Google Keep, and Cloud Identity.

Organizations should verify the current included functionality list in the administrator environment used for the subscription.

Services Outside Scope And Data Handling Controls

Not every Google service connected to a Google account is covered for protected health information. Non-covered consumer services and non-core services should not be used for protected health information.

Administrative controls should restrict access to non-covered services where feasible. Written policy should prohibit storing or transmitting protected health information in non-covered services. Monitoring and enforcement should align with organizational compliance procedures.

Configuration Requirements Under The HIPAA Security Rule

Google Workspace requires configuration and governance to support the HIPAA Security Rule.

Account controls should require unique user accounts, strong authentication, and access provisioning that removes access promptly when workforce status changes. Session controls should reduce exposure on unattended devices. Audit controls should be enabled to support review of account activity and investigation of suspected impermissible access.

Data controls should address sharing restrictions in Google Drive and related collaboration services. External sharing should be constrained to authorized recipients. Administrative controls should govern creation of public links, domain restrictions, and transfer of files outside the managed environment.

Retention controls should align with organizational record retention and legal hold processes when applicable. Storage locations for email, files, and recordings should remain within covered services and within the scope of the Business Associate Addendum.

Recording And Stored Content Considerations

Meetings, recordings, chat logs, email threads, and attachments can contain protected health information. Recording controls should be governed by policy and administered through centralized settings. Stored recordings and related artifacts should remain within covered services covered by the Business Associate Addendum and subject to access controls and retention settings.

Calendaring and invitation content can disclose protected health information through titles, locations, and attendee notes. Organizations should define acceptable scheduling practices that limit protected health information and align with the HIPAA Minimum Necessary Rule when the rule applies.

Third Party Applications And Integrations

Third party applications integrated with Google Workspace are not covered by Google’s Business Associate Addendum. Any vendor that creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity or Business Associate requires its own Business Associate Agreement.

Organizations should evaluate add-ons, connectors, and automation tools for data flows that move protected health information outside covered services.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA