Does Google Workspace sign a HIPAA BAA?

Yes. Google offers a HIPAA Business Associate Agreement for Google Workspace on all paid plans (Business Starter, Business Standard, Business Plus, Enterprise). The free consumer Gmail service is not covered by Google's BAA and cannot be used for PHI.

Which Google Workspace services are covered by the HIPAA BAA?

Google's BAA covers Gmail, Google Drive, Google Docs, Sheets, Slides, Google Meet, Google Calendar, Google Chat, Google Forms, Google Sites, Google Keep, and Google Vault when configured correctly. Google Search, Google Maps, Google Ads, and most consumer Google products are not covered.

How do I get a HIPAA BAA from Google Workspace?

Google's BAA is self-service for Google Workspace paid plans. As the administrator, log into the Google Admin console, navigate to Account > Account settings > Legal > HIPAA Business Associate Amendment, and accept the agreement. Google does not require manual contract execution — acceptance through the Admin console is binding.

Vendor BAA Guide

Does Google Workspace Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ Yes — Google Workspace signs a HIPAA BAA on all paid plans
✓ Free consumer Gmail accounts are not covered and cannot be used for PHI
✓ Acceptance is self-service through the Google Admin console — no paperwork required
✓ Covered services include Gmail, Drive, Meet, Calendar, Chat, Docs, Sheets, and more
✓ You still need your own BAA with any vendor you share Google-stored PHI with

Direct answer: Yes — Google Workspace signs a HIPAA Business Associate Agreement on all paid plans (Business Starter, Standard, Plus, and Enterprise). Acceptance is self-service through the Google Admin console. The free consumer Gmail product is not covered and may not be used to store or transmit PHI.

Google Workspace is used by millions of healthcare organizations for email, scheduling, file storage, and video conferencing. For any covered entity using Google Workspace to handle protected health information, a HIPAA Business Associate Agreement with Google is mandatory. Here's everything you need to know.

Which Plans Include the HIPAA BAA?

Google's HIPAA BAA is available on all paid Google Workspace plans:

Google Workspace Business Starter
Google Workspace Business Standard
Google Workspace Business Plus
Google Workspace Enterprise (all tiers)
Google Workspace for Nonprofits (paid editions)

Not covered: Free consumer Gmail accounts (@gmail.com), Google Workspace Individual, and free legacy G Suite accounts. If your organization is still using free Google accounts, you cannot legally use them for PHI under HIPAA.

Which Google Services Are Covered Under the BAA?

Google's BAA applies to a specific subset of Workspace services when configured in a HIPAA-compliant manner. As of 2026, covered services include:

Covered Service	Notes
Gmail	Must enable S/MIME encryption for PHI emails
Google Drive	Includes Docs, Sheets, Slides, and Forms
Google Meet	Video conferencing for telehealth is covered
Google Calendar	Covered, but avoid including PHI in calendar event titles visible to others
Google Chat	Covered when used within the organization's Workspace domain
Google Vault	Covered for archiving and eDiscovery of PHI
Google Keep	Covered on paid Workspace plans
Google Sites	Covered
Google Search (consumer)	NOT covered
Google Maps / Google Ads	NOT covered
YouTube	NOT covered

Always check Google's current HIPAA implementation guide for the latest list of in-scope services, as Google updates it periodically.

How to Accept Google's HIPAA BAA

Unlike many vendors, Google does not require paper signing or a sales call to execute a BAA. The process is entirely self-service for Workspace administrators:

Log into the Google Admin console (admin.google.com)
Navigate to Account > Account settings
Click Legal
Locate HIPAA Business Associate Amendment
Review and accept the agreement

Acceptance through the Admin console is legally binding. Google does not send a countersigned document, but you can screenshot the acceptance confirmation for your records.

What Google's BAA Covers — and What It Doesn't

Google's BAA establishes Google as a business associate for the covered services listed above. It covers:

Google's obligations to safeguard PHI stored in Workspace
Breach notification obligations to your organization
Return or deletion of PHI at the end of your account
Subprocessor requirements for Google's own infrastructure

What it does not cover:

Your employees' personal Gmail accounts (even if used for work)
Third-party apps installed through the Google Workspace Marketplace — each requires its own BAA
Any Google service not explicitly listed as in-scope in the BAA
Your own obligations as a covered entity — Google's BAA governs Google, not your practice

After Accepting the Google BAA — What Else You Need

Signing Google's BAA is one piece of your compliance picture. You still need:

BAAs with any other vendors you share PHI with — your EHR, billing company, IT support provider, etc.
A BAA for each third-party Workspace integration that handles PHI (Calendly, Zapier, Slack, etc.)
Your own internal policies governing how staff use Google Workspace with PHI (encryption requirements, access controls, training)

Google's BAA covers Google's obligations. Your organization still needs its own BAA documents with all other business associates.

Key Takeaways

Google Workspace signs a HIPAA BAA on all paid plans — accept it through the Admin console
Free consumer Gmail is not covered and cannot be used for PHI
Third-party apps integrated with Workspace each require their own separate BAA
Signing Google's BAA does not replace your need to execute BAAs with other vendors

Need your side of the BAA?

Google provides their BAA — but you still need to execute BAAs with all your other vendors. Generate one in minutes.

Generate BAA for Free →