Is Google Workspace HIPAA Compliant?
By Gil Vidals, , HIPAA Blog, HIPAA Gmail, Resources

Secure collaboration – it’s essential to your success. The excellent care you provide wouldn’t happen without it.

The question that’s on every doctor’s mind is this: Is Google Workspace HIPAA compliant?

It’s been estimated that a single hospital patient can see up to 10 different healthcare providers. Coordination of care is therefore essential for positive outcomes.

For numerous clinics and counselors, surgeons and specialists, Google’s powerful suite of collaborative services provide the answer. Previously known as GSuite, Google Workspace is a powerful solution for many companies.

From HIPAA compliant Gmail and Meet for effective communications across remote locations, to creating patient folders in My Drive, to setting Calendar appointments, Workspace provides the anywhere, real-time connections necessary to promote efficient outcomes. It really does make life easier – and with many hospitals desiring to go paperless, it can save a whole lot of trees!

But in a world where cybercriminals continue to find new ways of breaching protected health data, the question of whether you should be using Workspace – either in a clinical setting or remote location – should first be settled:

Is Google Workspace (formerly G Suite) really HIPAA compliant?

The good news is, yes, it can be. Google will certainly sign a Business Associates Agreement (BAA) with you – a legal agreement to handle your sensitive patient data in a HIPAA compliant manner – for their core Workspace services (called “included functionality”).

This includes Gmail, Calendar, Drive (with Docs, Sheets, Slides, Forms), Meet, Groups, and more. (See the HIPAA Implementation Guide for the complete list).

But what’s the basis for Google being able to provide this?

Foundationally, we know that HIPAA requires a secure infrastructure for hosting and handling your data. On that score, Google’s commitment to “best in class” infrastructure security is simply unmatched.

With ISO 27001 certification, SOC 2/ SOC 3 Type II audits, and HIPAA compliance – all supported by a team of over 500 world-class security experts – Google is truly cutting-edge.

All Google’s products – including Workspace – are launched with the most stringent security testing and end-user privacy controls in view.

But like all “HIPAA compliant tools,” true Workspace HIPAA compliance requires adherence to both the technical and the administrative aspects for security and high availability to be maintained.

In other words, how Workspace is configured for your company’s environment and used by your team are the dual tests of true compliance. (HIPAA Vault’s expertise can help you get up to speed on both issues).

So let’s look at the basics for configuring Workspace and using it in a HIPAA compliant manner:

How to Make Google Workspace HIPAA Complaint

There are a few ways you can achieve Google Workspace HIPAA compliance.

1.) IT Administrators Will Set User Groups and Access Controls for Devices

Google’s Admin console has the user controls needed to limit who in your organization will have access to electronically protected health information (ePHI).

As a rule, the principle of minimum, or least privilege, should govern these decisions, giving users access to only what is necessary for them to fulfill their functions. (Note: Admins will turn off non-core Google services for those users who handle ePHI).

Are there additional business associates (user groups) inside or out of your network that are considered HIPAA-covered entities? These too must be considered when applying the necessary controls for Workspace with ePHI.

2.) Institute Controls for all Devices with ePHI

Additionally, any devices (including mobile phones) that your staff and associates will use to access Workspace with ePHI must be governed by the appropriate security controls.

3.) Encrypt Your Data (GMail has Native Encryption, But it May not be End-to-End)

HIPAA regulations require sufficient end-to-end privacy protections for all messages, files, and folders with ePHI.

For this, encryption is the accepted standard. While Google uses Transport Layer Security (TLS) – an “encrypted tunnel” that protects normal Gmail in transit – it should be noted that TLS itself doesn’t guarantee true end-to-end security for ePHI.

This is because TLS depends on both the sender and recipient’s email provider having it. (Google’s red padlock icon will appear in the address bar to let you know when this is not the case for incoming and outgoing messages).

That said, configuring Workspace for reliable, end-to-end encryption for HIPAA will require HIPAA Vault’s expertise. 

(Note: “Gmail Confidential mode” is a recent feature that further enhances access management capabilities. This allows you to set expiration dates for messages, prevent forwarding and printing, and even revoke access where needed).

4.) Utilize Sharing Settings

Workspace’s controls for sharing protected data with only intended recipients/groups should be used.

For example, it is often necessary to insert a Google Drive link to ePHI into an email. When this is done, the Link sharing settings can be changed from the default (“Anyone with the link”) to “Private.”

Administrators also have the option to regularly inspect all emails for any PHI identifiers to ensure the appropriate policies on how that data is shared.

5.) Employee Training for HIPAA/Workspace is Key

As mentioned above, Google Workspace HIPAA compliance ultimately hinges on people. How your staff embraces and employs all the secure practices for Workspace, workstations, devices, and other tools – both inside and out of the workplace – is key.

This means that regular “refresher training” regarding ePHI must be incorporated into the life of your company.

For example, how to recognize and avoid new kinds of phishing emails – some that even use the Google logo to posit authenticity and tempt you to click on it – should be included in the training.

6.) Leverage Google’s Extensive Log-Monitoring Capabilities

Google’s admin console supports HIPAA by allowing logs to be kept of both authorized and unauthorized logins to those tools containing ePHI. Notifications and alerts can also be enabled, to inform admins of potential security risks.

Privacy and data integrity – the heart of HIPAA regulations – along with high availability, are also supported by records of administrator activities, data exposures, user collaborations, file activity, audits, and more.

HIPAA Vault Makes Google Workspace Compliance Easy

These are the basics to bear in mind when configuring Google Workspace for HIPAA. Be aware that technical support services for Google customers are not part of the HIPAA-included functionality.

With HIPAA Vault’s HIPAA Gmail and compliant Workspace, however, you’ll receive 24/7, dedicated technical support. You won’t pay extra for this, as it comes standard with all our solutions.

As an experienced Google Technology partner and HIPAA-cloud solutions specialist, HIPAA Vault is here for all your Workspace needs.

HIPAA Vault is a leading provider of HIPAA compliant solutions and a Certified Google Technology Partner, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, please visit our website at

Frequently Asked Questions

Is Google Workspace HIPAA Compliant?

Yes, Google Workspace is designed to meet the requirements of HIPAA. . However, organizations should consider additional steps and measures to ensure their data is adequately protected in accordance with the law. Organizations must also sign a Business Associate Agreement (BAA) with Google before any PHI is stored or transmitted in Google Workspace. Remember, Google Workspace was previously known as G Suite!

Is Google Drive HIPAA Compliant?

Yes, when used with the proper safeguards and technical measures, Google Drive is considered to be HIPAA compliant. Organizations must also sign a Business Associate Agreement (BAA) with Google before any PHI is stored or transmitted in Google Workspace.

Which Google Workspace Plan is HIPAA Compliant?

Any of the paid Google Workspace plans are HIPAA compliant. The free versions, such as Google’s Basic plan, do not meet the necessary requirements to become HIPAA certified. Organizations must carefully review the technical safeguards and standards outlined by the law and ensure that their chosen Google Workspace plan meets these requirements.

Does Google Workspace have HIPAA compliant email?

Yes. All plans have HIPAA compliant email, as long as the Business Associate Agreement (BAA) is signed with Google. The G Suite Enterprise and G Suite Enterprise for Education plans have additional features that help become and maintain compliance with HIPAA regulations. These features include advanced encryption services, data loss prevention systems, and audit logs to track user activity. 

What’s the cost of HIPAA-compliant Google Workspace?

The cost of using Google Workspace for HIPAA compliance depends on the plan you choose. The G Suite Business Starter plan is the most affordable option and starts at $6 per month per user, while the G Suite Enterprise plans range from $25 to $50 per month per user. All plans require a BAA with Google in order to be fully HIPAA compliant. 
Learn more about how HIPAAVault can help your practice or facility achieve and maintain HIPAA compliance with Google Workspace, Drive, and more.


Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.