Google Workspace is HIPAA compliant only for services with “included functionality” when a HIPAA Covered Entity or Business Associate uses a qualifying Google Workspace plan, configures the services to comply with the HIPAA Security Rule, and agrees to Google’s Business Associate Addendum before any Google Workspace service is used to create, receive, maintain, or transmit Protected Health Information.
Google Workspace, previously known as G Suite, is a set of productivity and communication services used to email, store files, collaborate on documents, and conduct meetings. HIPAA compliance depends on whether the services used with Protected Health Information provide controls that support the confidentiality, integrity, and availability standards for electronic Protected Health Information and whether the customer configures those controls to meet the applicable implementation specifications.
Personal free editions and “solopreneur” editions are outside the plan categories used for regulated handling of Protected Health Information. Business and Enterprise plans include the same core services but provide different levels of functionality and administrative controls. A risk assessment informs plan selection, including the need for endpoint management on mobile devices and centralized security monitoring.
Only services covered by the Business Associate Addendum and identified as having included functionality may be used with Protected Health Information. Covered services with included functionality include Gmail, Google Drive, Google Calendar, Google Meet, Google Chat, and core document and productivity applications within Google Workspace. Non-core services not covered by the Google Workspace Service Agreement, such as consumer services, should be disabled to prevent use with Protected Health Information.
Google recommends restricting access to core services without included functionality, including Google Contacts. Restricting Google Contacts can affect other covered services, so an alternative control is a policy that prohibits storing Protected Health Information in Google Contacts and monitoring adherence through Security Center oversight and investigation. Names and contact details maintained separately from health information are not Protected Health Information.
Agreement to the Business Associate Addendum is necessary before handling Protected Health Information in any covered service. The Terms of Service Agreement assigns customer obligations that include preventing and terminating unauthorized use and notifying Google of unauthorized use of, or access to, a Google Workspace account, including compromised passwords. Account suspension and content removal can create availability risks if Protected Health Information is stored only in the affected account.
Workforce training and access governance should address permissible disclosures, the HIPAA Minimum Necessary Rule, identity verification for unknown correspondents requesting information, and reporting phishing, malware, and other security events. Administrative controls and sanctions should address attempts to move Protected Health Information into or out of services that are not covered by the agreement.