Summary:
To use Google Workspace with Protected Health Information (PHI), you must enter into a Business Associate Agreement (BAA) with Google. As of 2026, this process is handled digitally within the Google Admin Console. However, a signed BAA is only the first step; you must also configure “Included Functionality” to meet the latest HIPAA and 42 CFR Part 2 requirements. This guide covers how to secure your BAA and the critical configuration steps.
For organizations regulated by HIPAA in 2026, Google Workspace remains a top choice for collaboration. But, there is a persistent myth that simply paying for a Workspace subscription makes you HIPAA compliant.
The truth? Google acts as a “Business Associate” the moment you store PHI on their servers. Under HIPAA, any vendor that touches your ePHI must sign a Business Associate Agreement (BAA). Without this document, using Gmail, Drive, or Gemini for PHI is an automatic violation, regardless of your encryption settings.
Step 1: Verify Your Account Eligibility
Google does not sign BAAs for free “@gmail.com” accounts. You must have a paid Google Workspace subscription. While all tiers support the BAA, we recommend the Enterprise level for HIPAA compliance. Enterprise-level tiers include advanced audit logging, Data Loss Prevention (DLP) tools, and more, now required to satisfy the OCR’s modernized Security Rule standards.
Step 2: How to Sign the BAA
- Log in to your Google Admin Console as a Super Administrator.
- From the left-hand menu, navigate to Account > Account Settings
- Click on the Legal and Compliance section.
- Scroll to Security and Privacy Additional Terms.
- Look for the Google Workspace HIPAA Business Associate Amendment.
- Click Review and Accept. You will be asked to confirm whether you are a Covered Entity or a Business Associate.
- Click “I Accept” after reviewing the agreement.
You do not need to mail a physical copy. Google’s electronic acceptance is legally binding.
Step 3: What’s New in 2026?
Google Gemini 3 (AI) and PHI
As of 2026, Google’s IR, Gemini 3, has been fully integrated into Workspace. While Gemini is now part of the “Included Functionality” under the BAA for Enterprise users, it is only compliant if used within your managed Workspace account. Using the consumer version of Gemini (or any AI not covered by your BAA) with any PHI is a major breach risk, and a violation of HIPAA.
42 CFR Part 2 Alignment
The February 2026 deadline for 42 CFR Part 2 (Substance Use Disorder records) alignment with HIPAA is now in effect. If your organization handles SUD records, your Google Workspace configuration must now account for stricter redisclosure rules. Simply signing the BAA isn’t enough, your Risk Assessment, and Policies and Procedures must reflect these specific data silos.
Step 4: The BAA is Not Enough
Signing the BAA is like buying a safe; it only works if you lock the door. To stay compliant, you must:
- Disable Non-Covered Services: Only “Included Functionality” (Gmail, Drive, Meet, etc.) is covered. Tools like YouTube, Blogger or Google Photos are generally not covered and should be disabled for users handling PHI (review the Included Functionality terms for a complete list of covered services).
- Manage Third-Party Add-ons: Google’s BAA does not cover third-party apps from the Workspace Marketplace. If you use a CRM, encryption, or other plug-in, you need a separate BAA with that vendor.
- Configure PHI Data Retention and Disposal Policies: While Google Workspace supports data retention and disposal (e.g., Google Vault), the organization must configure specific data retention and disposal policies for PHI, as required by the HIPAA Security Rule.
- Configure Sharing Permissions: Update your settings to prevent “Public Link Sharing.” PHI should only be shared with specific, authenticated email addresses.
- Implement Mandatory HIPAA Training: All staff who create, receive, maintain, or transmit PHI must receive regular, mandatory training on the organization’s policies and the proper use of HIPAA-compliant Workspace services.
Learn more about What You Need to do to be HIPAA Compliant After Signing a BAA.
Total HIPAA: Your Partner in a Digital World
The BAA is a legal contract, and Google’s “Implementation Guide” is a technical manual that many find overwhelming. One misconfigured setting can lead to a costly “Right of Access” violation or a data breach.
At Total HIPAA, we take the guesswork out of the cloud. Through our HIPAA Prime ™ program, we provide:
- Compliance Training: Ensure your staff knows exactly how to implement HIPAA compliance for your organization.
- Online Risk Assessment: A dynamic tool to identify gaps in your organization’s alignment with HIPAA.
- Unlimited Audit and Breach Support: If a breach or audit happens, we’re there to help you through the process.
Don’t leave your compliance to chance. Book a Clarity Call today to speak with an expert about your compliance plan.
