Google Forms is HIPAA compliant only when it is used through an appropriate Google Workspace or Cloud Identity package, Google’s Business Associate Addendum is signed, the service is configured to meet the HIPAA Security Rule technical safeguard requirements, and workforce members are trained to use Google Forms in a compliant manner. Google Forms does not support HIPAA compliance by default because it is part of Google Drive and the capabilities needed to support the HIPAA Security Rule technical safeguards are not available unless Google Forms is included within a qualifying Google Workspace or Cloud Identity package.
Google Forms may be used by HIPAA Covered Entities and Business Associates outside of a Google Workspace or Cloud Identity account when Protected Health Information is not collected, stored, or shared through the service. In that scenario, HIPAA compliance status for the tool is not a gating factor because the service is not being used to create, receive, maintain, or transmit Protected Health Information. The compliance analysis changes when Google Forms is used to collect, store, or share Protected Health Information, or when form responses are exported into other services for storage, collaboration, or analysis.
When Google Forms is used in connection with Protected Health Information, the organization needs an appropriate subscription package that includes the capabilities required to support the HIPAA Security Rule technical safeguards. Not all Google Workspace packages are appropriate for sharing Protected Health Information because some packages lack security measures such as access control management and audit logs. Organizations selecting a package also need to evaluate whether additional security controls are available for the services used alongside Google Forms. Data Loss Prevention controls that prevent sensitive data being shared with external guests are only included in the Google Workspace Enterprise package.
A signed Business Associate Addendum is required before using Google Forms with Protected Health Information because Google offers its contractual assurances for its Core Services through that addendum rather than through individual business associate agreements. Google Forms is treated as part of Google Drive for purposes of Core Services coverage. The addendum is reviewed and signed electronically by a user with administrator privileges. The organization also needs to read and understand the customer obligations in the addendum because a violation of those obligations can invalidate the addendum.
After obtaining the appropriate subscription and signing the Business Associate Addendum, administrators need to configure Google Forms and related settings to align with required safeguards. File sharing permissions need to be set to prevent forms containing Protected Health Information from being shared with external domains. Default file visibility needs to be set to Private to the Owner. Organizations can also restrict form sharing between individual drives or Shared Drives when that aligns with internal access policies. Additional controls may include administrator notifications for unusual activity and Data Loss Prevention policies that define what types of sensitive data can be shared and with whom. Any services integrated with Google Forms also need to support HIPAA compliance when they create, receive, maintain, or transmit Protected Health Information, including Google Sheets when used to store form responses.
Workforce training is required to support compliant use after technical controls are implemented. Training needs to address the operational limits created by access controls, sharing settings, and collaboration permissions. Training also needs to address phishing risk and user behaviors that can create exposure through mislabeling or oversharing, including placing Protected Health Information in titles of forms or folders.