HIPAA Compliance with Google Apps

Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. To demonstrate our compliance with security standards in the industry, Google has sought and received security certifications such as FISMA, ISO 27001, and SSAE 16. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), Google Apps can also support HIPAA compliance.

Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.

Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.

Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.