Are Google Servers HIPAA Compliant?
By Gil Vidals, , HIPAA Blog

Innovative healthcare technology providers, including developers of telemedicine apps for virtual consults, rely on-site responsiveness and high data availability to facilitate patient care.

Before choosing the cloud, these important technology providers will often ask if Google servers can meet the tests for HIPAA compliance; in other words, will they ensure the confidentiality, integrity, and high data availability required by the HIPAA Security Rule.

Here’s what we tell them:

Trust Google’s World-Class Infrastructure Security 

Few cloud providers have been tested like Google, with a massive global infrastructure and billions of users accessing their various cloud services every day. Such expansive, on-demand infrastructure receives untold numbers of attack vectors every minute. This would surely overwhelm Google’s system unless sophisticated security automation was built-in. 

From an infrastructure perspective, Google’s “security by design” software, servers, internal machines, and secure data centers are all aimed at providing superior data protection with end-user privacy safeguards. Before and after each product launch, a privacy team oversees automated processes that audit data traffic. 

In addition to extensive inside security (over 550 world-class security specialists assess each attack), privacy, and compliance teams, outside experts are consulted to perform regular security assessments. This is a level of security that simply can’t be matched by most on-prem data centers and IT staff. 

BAA Provided

HIPAA data handlers who use, transmit, receive, or exchange electronically protected health information (ePHI) are required to sign a Business Associates Agreement (BAA). This is a HIPAA-mandated, legal contract to confirm that patient data will be kept confidential while in storage on all servers, as well as in transit. As a trusted HIPAA partner, Google provides HIPAA Vault a Business Associate agreement, so you’re covered.

Encryption by Default

Sensitive medical data needs strong data privacy protections, as required by HIPAA. Encryption protects your data by replacing it with ciphertext, making it unreadable until decrypted. Cybercriminals seek to exploit sensitive data to their advantage, bypassing these encryption protections by attempting to access keys or crack encryption algorithms. 

The Google Cloud Platform (GCP) uses a NIST standard, FIPS 140-2 validated encryption module by default, which ensures the encryption of data “in transit” (meaning, outside Google’s physical boundaries to you, the customer, and the wide-area network (WAN) between data centers), and also “at rest” on their servers. A cloud-hosted key management service (KMS) also allows you to manage cryptographic keys in the same way as you would for a typical on-premises environment. 

Identity and Access Controls 

A HIPAA-compliant server will be governed by admin controls that authenticate user-access. Once a determination is made regarding the appropriate access and permissions for your team, admins can set these unique user IDs (kept private by each user) through Google’s Identity and Access Management Console.

Two-factor authentication, or 2-step verification, is another tool provided by Google that administrators can use to add an additional security layer for accessing a server. This means that in addition to the standard username/password combination, a unique verification code is generated and sent to users each time they seek to log in to their server.


High availability for your HIPAA data requires high redundancy. With Google’s “redundancy of everything” approach, your data is systematically replicated multiple times across active servers and distributed geographically. 

Service continuity is ensured by a highly redundant system, one where the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data. In other words, your data is always available within a secondary system, should one system fail. Distributed, compliant data centers with redundant security, power, and environmental controls minimize the impact of a natural disaster or a local power outage, so your sensitive data will remain available.  

Access (Audit) Logs

HIPAA requires that detailed audit logs be kept, recording who has accessed ePHI on your server(s) and why they’ve accessed it – both failed and successful log-in attempts. This system and network access information, including any security event or malicious software, attempted breach, or even attempts to delete or modify the logs themselves, must be kept for a minimum of six years. 

Google will keep all admin activity, data access, and system event logs for varying lengths of time, which can then be exported so you can retain them for as long as needed. 


Clearly, Google Cloud servers meet the test for HIPAA compliance. How the end-user manages the controls and HIPAA policies becomes the real issue. HIPAA Vault’s expertise with GCP can help you navigate these essential HIPAA server requirements, allowing for a significant cost-savings and greater peace of mind knowing your critical patient data is in good hands.   

Our advanced automation, detection, and mitigation capabilities, and proven ability to configure your environment and servers for HIPAA compliance, helps ensure that your critical data is well protected.  

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition, HIPAA Vault provides secure email and file sharing solutions to improve patient communications, and participates in SBA 8(a), HUBZone, GSA, and DBE programs. For more information, please visit our website at