BAA Generator
HomeResourcesDoes Google Workspace Sign a HIPAA BAA?
Vendor BAA Guide

Does Google Workspace Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  5 min read

Key Takeaways

Direct answer: Yes — Google Workspace signs a HIPAA Business Associate Agreement on all paid plans (Business Starter, Standard, Plus, and Enterprise). Acceptance is self-service through the Google Admin console. The free consumer Gmail product is not covered and may not be used to store or transmit PHI.

Google Workspace is used by millions of healthcare organizations for email, scheduling, file storage, and video conferencing. For any covered entity using Google Workspace to handle protected health information, a HIPAA Business Associate Agreement with Google is mandatory. Here's everything you need to know.

Which Plans Include the HIPAA BAA?

Google's HIPAA BAA is available on all paid Google Workspace plans:

Not covered: Free consumer Gmail accounts (@gmail.com), Google Workspace Individual, and free legacy G Suite accounts. If your organization is still using free Google accounts, you cannot legally use them for PHI under HIPAA.

Which Google Services Are Covered Under the BAA?

Google's BAA applies to a specific subset of Workspace services when configured in a HIPAA-compliant manner. As of 2026, covered services include:

Covered ServiceNotes
GmailMust enable S/MIME encryption for PHI emails
Google DriveIncludes Docs, Sheets, Slides, and Forms
Google MeetVideo conferencing for telehealth is covered
Google CalendarCovered, but avoid including PHI in calendar event titles visible to others
Google ChatCovered when used within the organization's Workspace domain
Google VaultCovered for archiving and eDiscovery of PHI
Google KeepCovered on paid Workspace plans
Google SitesCovered
Google Search (consumer)NOT covered
Google Maps / Google AdsNOT covered
YouTubeNOT covered

Always check Google's current HIPAA implementation guide for the latest list of in-scope services, as Google updates it periodically.

How to Accept Google's HIPAA BAA

Unlike many vendors, Google does not require paper signing or a sales call to execute a BAA. The process is entirely self-service for Workspace administrators:

  1. Log into the Google Admin console (admin.google.com)
  2. Navigate to Account > Account settings
  3. Click Legal
  4. Locate HIPAA Business Associate Amendment
  5. Review and accept the agreement

Acceptance through the Admin console is legally binding. Google does not send a countersigned document, but you can screenshot the acceptance confirmation for your records.

What Google's BAA Covers — and What It Doesn't

Google's BAA establishes Google as a business associate for the covered services listed above. It covers:

What it does not cover:

After Accepting the Google BAA — What Else You Need

Signing Google's BAA is one piece of your compliance picture. You still need:

Google's BAA covers Google's obligations. Your organization still needs its own BAA documents with all other business associates.

Key Takeaways

Need your side of the BAA?

Google provides their BAA — but you still need to execute BAAs with all your other vendors. Generate one in minutes.

Generate BAA for Free →