Step-by-Step: Establishing a BAA with Google for HIPAA

Summary:

Think signing a BAA with Google is the final step in your HIPAA journey? Think again. While Google Workspace offers the infrastructure for compliance, the responsibility of configuration lies with you. From navigating the 2026 Gemini AI updates to aligning with new 42 CFR Part 2 requirements, our step-by-step guide walks you through exactly how to establish a BAA and—more importantly—what steps you must take next to remain protected.

Summary:

To use Google Workspace with Protected Health Information (PHI), you must enter into a Business Associate Agreement (BAA) with Google. As of 2026, this process is handled digitally within the Google Admin Console. However, a signed BAA is only the first step; you must also configure “Included Functionality” to meet the latest HIPAA and 42 CFR Part 2 requirements. This guide covers how to secure your BAA and the critical configuration steps.

For organizations regulated by HIPAA in 2026, Google Workspace remains a top choice for collaboration. But, there is a persistent myth that simply paying for a Workspace subscription makes you HIPAA compliant.

The truth? Google acts as a “Business Associate” the moment you store PHI on their servers. Under HIPAA, any vendor that touches your ePHI must sign a Business Associate Agreement (BAA). Without this document, using Gmail, Drive, or Gemini for PHI is an automatic violation, regardless of your encryption settings.

Step 1: Verify Your Account Eligibility

Google does not sign BAAs for free “@gmail.com” accounts. You must have a paid Google Workspace subscription. While all tiers support the BAA, we recommend the Enterprise level for HIPAA compliance. Enterprise-level tiers include advanced audit logging, Data Loss Prevention (DLP) tools, and more, now required to satisfy the OCR’s modernized Security Rule standards.

Step 2: How to Sign the BAA

  1. Log in to your Google Admin Console as a Super Administrator.
  2. From the left-hand menu, navigate to Account > Account Settings
  3. Click on the Legal and Compliance section.
  4. Scroll to Security and Privacy Additional Terms. 
  5. Look for the Google Workspace HIPAA Business Associate Amendment.
  6. Click Review and Accept. You will be asked to confirm whether you are a Covered Entity or a Business Associate.
  7. Click “I Accept” after reviewing the agreement.

You do not need to mail a physical copy. Google’s electronic acceptance is legally binding.

Step 3: What’s New in 2026?

Google Gemini 3 (AI) and PHI

As of 2026, Google’s IR, Gemini 3, has been fully integrated into Workspace. While Gemini is now part of the “Included Functionality” under the BAA for Enterprise users, it is only compliant if used within your managed Workspace account. Using the consumer version of Gemini (or any AI not covered by your BAA) with any PHI is a major breach risk, and a violation of HIPAA.

42 CFR Part 2 Alignment

The February 2026 deadline for 42 CFR Part 2 (Substance Use Disorder records) alignment with HIPAA is now in effect. If your organization handles SUD records, your Google Workspace configuration must now account for stricter redisclosure rules. Simply signing the BAA isn’t enough, your Risk Assessment, and Policies and Procedures must reflect these specific data silos.

Step 4: The BAA is Not Enough

Signing the BAA is like buying a safe; it only works if you lock the door. To stay compliant, you must:

  • Disable Non-Covered Services: Only “Included Functionality” (Gmail, Drive, Meet, etc.) is covered. Tools like YouTube, Blogger or Google Photos are generally not covered and should be disabled for users handling PHI (review the Included Functionality terms for a complete list of covered services).
  • Manage Third-Party Add-ons: Google’s BAA does not cover third-party apps from the Workspace Marketplace. If you use a CRM, encryption, or other plug-in, you need a separate BAA with that vendor.
  • Configure PHI Data Retention and Disposal Policies: While Google Workspace supports data retention and disposal (e.g., Google Vault), the organization must configure specific data retention and disposal policies for PHI, as required by the HIPAA Security Rule.
  • Configure Sharing Permissions: Update your settings to prevent “Public Link Sharing.” PHI should only be shared with specific, authenticated email addresses.
  • Implement Mandatory HIPAA Training: All staff who create, receive, maintain, or transmit PHI must receive regular, mandatory training on the organization’s policies and the proper use of HIPAA-compliant Workspace services.

Learn more about What You Need to do to be HIPAA Compliant After Signing a BAA.

Total HIPAA: Your Partner in a Digital World

The BAA is a legal contract, and Google’s “Implementation Guide” is a technical manual that many find overwhelming. One misconfigured setting can lead to a costly “Right of Access” violation or a data breach.

At Total HIPAA, we take the guesswork out of the cloud. Through our HIPAA Prime ™ program, we provide:

  • Compliance Training: Ensure your staff knows exactly how to implement HIPAA compliance for your organization.
  • Online Risk Assessment: A dynamic tool to identify gaps in your organization’s alignment with HIPAA.
  • Unlimited Audit and Breach Support: If a breach or audit happens, we’re there to help you through the process.

Don’t leave your compliance to chance. Book a Clarity Call today to speak with an expert about your compliance plan.

 

 

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

HHS’ Office for Civil Rights Settles Ransomware Investigation with Health Plan

HHS’ Office for Civil Rights Settles Ransomware Investigation with Health Plan

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $450,000 settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans. Triggered by a 2021 ransomware attack that compromised the electronic Protected Health Information (ePHI) of over 10,000 individuals, the investigation revealed systemic failures to conduct accurate risk analyses and implement proper policies and procedures. This case serves as a massive wake-up call. HIPAA compliance extends far beyond traditional healthcare settings; it applies to any organization managing employer-sponsored group health plans, including self-funded and self-insured arrangements.

Why do we need to test our Disaster Recovery Plan every year?

Why do we need to test our Disaster Recovery Plan every year?

Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

How to Maintain HIPAA Compliance in Public Cloud Environments

How to Maintain HIPAA Compliance in Public Cloud Environments

Storing ePHI in the public cloud offers scalability but requires a strict “Shared Responsibility” approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)