HIPAA Compliance with Google Workspace and Cloud Identity
Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), Google Workspace and Cloud Identity can support HIPAA compliance.
Under HIPAA, certain information about a person's health or health care services is classified as Protected Health Information (PHI). Google Workspace and Cloud Identity customers who are subject to HIPAA and wish to use Google Workspace or Cloud Identity with PHI must sign a Business Associate Agreement (BAA) with Google.
Google Workspace and Cloud Identity customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not signed a BAA with Google must not use Google services in connection with PHI.
We have published our Google Workspace and Cloud Identity HIPAA Implementation Guide to help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with Workspace and Cloud Identity.
Frequently asked questionsHow can I receive a copy of my electronically accepted HIPAA BAA?
The HIPAA BAA is made available to customers for electronic acceptance via their Admin console. Such an electronic agreement is as binding as a paper-based agreement—i.e., it has the same legal effect. For the purposes of demonstrating electronic acceptance, the customer can produce a screenshot of their Admin Console/HIPAA acceptance log that gets shown in the Legal & Compliance section. This event is also reflected in the Admin Audit log.
Third-party applications including add-ons are not included in the Included Functionality covered by the BAA. Consider checking our HIPAA Implementation Guide for further information.
When sharing PHI in or outside the Google Workspace domain, customers should follow their organizational policies on handling PHI. Customers can choose the corresponding sharing method in or outside of Google Workspace to comply with those policies and consistent with the domain-wide settings of Google Workspace. The HIPAA Implementation Guide provides guidance on limiting access to PHI within a Google Workspace domain, such as sharing with specific recipients as opposed to anybody with the link.
Google continues to evaluate the scope of the Included Functionality and may include additional products in the future. Please note, neither the Google Workspace DPA nor the Google Workspace BAA terms extend to Additional Google Services. Google continues to evaluate methods to provide additional controls related to Additional Google Services and may introduce those as part of the functionality of the Services at any time.