Does Google Workspace Sign a HIPAA Business Associate Agreement?
By BAA Generator Research Team · Published Apr 19, 2026 · Last reviewed Apr 28, 2026 · 4 min read
Key Takeaways
- ✓ Yes — Google Workspace signs a HIPAA BAA on all paid plans
- ✓ Free consumer Gmail accounts are not covered and cannot be used for PHI
- ✓ Acceptance is self-service through the Google Admin console — no paperwork required
- ✓ Covered services include Gmail, Drive, Meet, Calendar, Chat, Docs, Sheets, and more
- ✓ You still need your own BAA with any vendor you share Google-stored PHI with
Google Workspace is used by millions of healthcare organizations for email, scheduling, file storage, and video conferencing. For any covered entity using Google Workspace to handle protected health information, a HIPAA Business Associate Agreement with Google is mandatory. Here's everything you need to know.
Which Plans Include the HIPAA BAA?
Google's HIPAA BAA is available on all paid Google Workspace plans:
- Google Workspace Business Starter
- Google Workspace Business Standard
- Google Workspace Business Plus
- Google Workspace Enterprise (all tiers)
- Google Workspace for Nonprofits (paid editions)
Not covered: Free consumer Gmail accounts (@gmail.com), Google Workspace Individual, and free legacy G Suite accounts. If your organization is still using free Google accounts, you cannot legally use them for PHI under HIPAA.
Google Workspace HIPAA-Covered Services (2026)
Google's BAA applies to a specific subset of Workspace services when configured in a HIPAA-compliant manner. As of 2026, covered services include:
| Covered Service | Notes |
|---|---|
| Gmail | Must enable S/MIME encryption for PHI emails |
| Google Drive | Includes Docs, Sheets, Slides, and Forms |
| Google Meet | Video conferencing for telehealth is covered |
| Google Calendar | Covered, but avoid including PHI in calendar event titles visible to others |
| Google Chat | Covered when used within the organization's Workspace domain |
| Google Vault | Covered for archiving and eDiscovery of PHI |
| Google Keep | Covered on paid Workspace plans |
| Google Sites | Covered |
| Google Search (consumer) | NOT covered |
| Google Maps / Google Ads | NOT covered |
| YouTube | NOT covered |
Always check Google's current HIPAA implementation guide for the latest list of in-scope services, as Google updates it periodically.
Reviewing & Accepting the Google Workspace BAA
Unlike many vendors, Google does not require paper signing or a sales call to execute a BAA. The process is entirely self-service for Workspace administrators:
- Log into the Google Admin console (admin.google.com)
- Navigate to Account > Account settings
- Click Legal
- Locate HIPAA Business Associate Amendment
- Review and accept the agreement
Acceptance through the Admin console is legally binding. Google does not send a countersigned document, but you can screenshot the acceptance confirmation for your records.
What Google's BAA Covers: and What It Doesn't
Google's BAA establishes Google as a business associate for the covered services listed above. It covers:
- Google's obligations to safeguard PHI stored in Workspace
- Breach notification obligations to your organization
- Return or deletion of PHI at the end of your account
- Subprocessor requirements for Google's own infrastructure
What it does not cover:
- Your employees' personal Gmail accounts (even if used for work)
- Third-party apps installed through the Google Workspace Marketplace — each requires its own BAA
- Any Google service not explicitly listed as in-scope in the BAA
- Your own obligations as a covered entity — Google's BAA governs Google, not your practice
After Accepting the Google BAA: What Else You Need
Signing Google's BAA is one piece of your compliance picture. You still need:
- BAAs with any other vendors you share PHI with — your EHR, billing company, IT support provider, etc.
- A BAA for each third-party Workspace integration that handles PHI (Calendly, Zapier, Slack, etc.)
- Your own internal policies governing how staff use Google Workspace with PHI (encryption requirements, access controls, training)
Google's BAA covers Google's obligations. Your organization still needs its own BAA documents with all other business associates.
Key Takeaways
- Google Workspace signs a HIPAA BAA on all paid plans — accept it through the Admin console
- Free consumer Gmail is not covered and cannot be used for PHI
- Third-party apps integrated with Workspace each require their own separate BAA
- Signing Google's BAA does not replace your need to execute BAAs with other vendors
More vendor BAA guides
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview
Related: Cloud platforms