HIPAA Compliance with Google Workspace and Cloud Identity
Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), we offer certain Google Workspace and Cloud Identity services to support HIPAA compliance.
Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Workspace and Cloud Identity customers who are subject to HIPAA and wish to use certain Google Workspace or Cloud Identity services listed on the HIPAA Included Functionality list must enter a Business Associate Amendment (BAA) with Google.
Google Workspace and Cloud Identity customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use PHI in Google services. Customers who have not signed a BAA with Google must not use PHI in Google Workspace or Cloud Identity services.
Administrators must review and accept a BAA before using PHI in Google services. To review the Google Workspace products that can be used for HIPAA compliance, go to HIPAA Included Functionality.
We published the Google Workspace and Cloud Identity HIPAA Implementation Guideto help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with Google Workspace and Cloud Identity.
Frequently asked questions
How can I receive a copy of my electronically accepted HIPAA BAA?The HIPAA BAA is made available to customers for electronic acceptance via their Admin console. Such an electronic agreement is as binding as a paper-based agreement—i.e., it has the same legal effect. For the purposes of demonstrating electronic acceptance, the customer can produce a screenshot of their Admin Console/HIPAA acceptance that gets shown in the Legal and compliance section. From a super administrator account, go to the Admin console Home page, and then go toAccount settingsand thenLegal and compliance.
The help me write, contextual smart replies, and side-panel features are covered as part of Google Workspace with Gemini in HIPAA Included Functionality. For details on smart features, go to Collaborate with Gemini in Gmail.
Third-party applications including add-ons are not included in the Included Functionality covered by the BAA. Consider checking our Google Workspace and Cloud Identity HIPAA Implementation Guide for further information.
When sharing PHI in or outside the Google Workspace domain, customers should follow their organizational policies on handling PHI. Customers can choose the corresponding sharing method in or outside of Google Workspace to comply with those policies and consistent with the domain-wide settings of Google Workspace. The Google Workspace and Cloud Identity HIPAA Implementation Guide provides guidance on limiting access to PHI within a Google Workspace domain, such as sharing with specific recipients as opposed to anybody with the link.
Google continues to evaluate the scope of the Included Functionality and may include additional products in the future. Please note, neither the Cloud Data Processing Addendum (CDPA) nor the Google Workspace BAA terms extend to Additional Google Services. Google continues to evaluate methods to provide additional controls related to Additional Google Services and may introduce those as part of the functionality of the Services at any time.