In 2023, OCR settled with a healthcare provider for over $1.25 million after an investigation revealed that protected health information was being shared through a cloud-based email platform without a signed business associate agreement or proper security configurations. The platform in question was Google's productivity suite. Achieving HIPAA compliance G Suite — now branded as Google Workspace — is entirely possible, but only if your organization takes deliberate steps that go far beyond simply purchasing a license.

Why Google Workspace Alone Does Not Equal HIPAA Compliance G Suite

Google offers a version of Workspace that supports HIPAA compliance. That distinction matters enormously. Signing up for a Google Workspace Business or Enterprise plan does not automatically make your use of Gmail, Drive, or Calendar compliant with the HIPAA Security Rule under 45 CFR Part 164.

Google will sign a Business Associate Agreement with covered entities and their business associates — but only if you initiate the process through the Admin Console. Without that executed BAA, every email containing PHI that passes through your organization's Gmail accounts is a potential HIPAA violation.

In my work with covered entities, I have seen far too many small practices assume that because Google is a major technology company, their data is automatically protected to HIPAA standards. That assumption is dangerous and wrong.

Step 1: Execute the Google Business Associate Agreement

Before any protected health information touches Google's infrastructure, your HIPAA Privacy Officer or compliance lead must accept Google's BAA through the Google Workspace Admin Console. Navigate to Account > Legal and compliance and review the agreement carefully.

The BAA covers specific Google Workspace services — typically Gmail, Google Drive, Google Calendar, Google Vault, and Google Meet. It does not cover every Google product. Services like Google Ads, YouTube, or Google Maps are explicitly excluded. Your organization must ensure that PHI is only processed through BAA-covered services.

Keep a signed copy of this agreement in your compliance documentation. OCR investigators will ask for it during any audit or breach investigation.

Step 2: Configure Admin Security Controls for PHI Protection

The Security Rule requires administrative, physical, and technical safeguards for electronic protected health information. Google Workspace provides the technical infrastructure, but your organization's super admin must configure it correctly.

Critical configurations include:

  • Enforce 2-Step Verification: Require all workforce members to use multi-factor authentication. This is a baseline technical safeguard under the Security Rule's access control requirements.
  • Disable less secure app access: Legacy protocols that bypass modern authentication create exploitable vulnerabilities.
  • Enable audit logging through Google Vault: The Security Rule at 45 CFR § 164.312(b) requires audit controls that record and examine activity in systems containing ePHI.
  • Restrict external sharing in Google Drive: Apply the minimum necessary standard by limiting who can share files outside your domain. Configure Drive settings to warn or block users from sharing with external recipients.
  • Set session length controls: Automatic session timeouts reduce the risk of unauthorized access from unattended devices.
  • Manage mobile devices: Enforce mobile device management policies including remote wipe, screen lock requirements, and encryption for any device accessing your organization's Workspace account.

Each of these controls maps to specific Security Rule requirements. Document every configuration decision in your risk analysis — which itself is required under 45 CFR § 164.308(a)(1).

The Workforce Training Gap That Creates the Biggest Risk

Here is the reality OCR has made clear through enforcement action after enforcement action: technology configurations fail when your workforce does not understand the rules. A perfectly configured Google Workspace environment means nothing if an employee forwards PHI to a personal Gmail account, shares a Google Doc containing patient data with the wrong recipient, or stores diagnosis information in Google Keep — a service not covered by the BAA.

The Privacy Rule at 45 CFR § 164.530(b) requires training for every workforce member on your organization's policies and procedures for handling PHI. This is not optional and it is not a one-time event. Your team needs to understand which Workspace tools are approved for PHI, how sharing settings work, and what constitutes a reportable breach under the Breach Notification Rule.

Investing in HIPAA training and certification designed specifically for healthcare workforce members gives your organization documented proof of compliance and ensures your staff can identify risks before they become violations.

Conduct a Risk Analysis That Includes Google Workspace

Your HIPAA risk analysis must account for every system that stores, processes, or transmits ePHI — and that includes Google Workspace. Under 45 CFR § 164.308(a)(1)(ii)(A), covered entities must conduct an accurate and thorough assessment of potential risks and vulnerabilities.

For your Google Workspace risk analysis, evaluate:

  • Which Workspace services are used to handle PHI and whether each is covered under your BAA.
  • How data flows between Workspace and other systems (EHR integrations, third-party add-ons, browser extensions).
  • Whether third-party Marketplace apps have been granted access to your domain — each one could represent an unauthorized business associate.
  • Backup and disaster recovery procedures for Workspace data containing PHI.

Many organizations overlook third-party Marketplace apps. An employee who installs an unapproved Chrome extension or Workspace add-on could inadvertently expose PHI to a vendor with no BAA in place. Lock down Marketplace app installations through your Admin Console.

Monitor, Audit, and Update Continuously

HIPAA compliance G Suite configuration is not a one-time project. OCR expects ongoing monitoring. Use Google Workspace's Alert Center to track suspicious login activity, DLP (data loss prevention) rule triggers, and device compromise events.

Review your security configurations quarterly at minimum. Google regularly updates Workspace features, and a new default setting could loosen a control you previously tightened. Assign a specific workforce member to own Google Workspace compliance monitoring and document their review activities.

Update your Notice of Privacy Practices if your use of Google Workspace changes how patients' PHI is stored or communicated. Patients have a right to understand how their information is handled.

Build a Compliance Foundation Before You Deploy

If your organization is considering Google Workspace — or already uses it without these safeguards — the time to act is now. OCR's enforcement priorities continue to focus on risk analysis failures and missing business associate agreements, two areas directly implicated in cloud platform deployments.

Start with a comprehensive workforce HIPAA compliance program that covers cloud-based tools, the minimum necessary standard, and breach identification procedures. Then configure your Workspace environment with the technical controls outlined above. Finally, document everything — your BAA, your risk analysis, your admin configurations, and your training records.

Google Workspace can be a powerful, compliant tool for healthcare organizations. But compliance lives in the configuration, the training, and the documentation — never in the subscription alone.