HIPAA Compliance with Google Workspace and Cloud Identity

Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), Google Workspace and Cloud Identity can support HIPAA compliance.

Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Workspace and Cloud Identity customers who are subject to HIPAA and wish to use Google Workspace or Cloud Identity with PHI must sign a Business Associate Agreement (BAA) with Google.

Google Workspace and Cloud Identity customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not signed a BAA with Google must not use Google services in connection with PHI.

Administrators must review and accept a BAA before using Google services with PHI. See what Google Workspace products can be used for HIPAA compliance in the HIPAA Included Functionality.

We have published our Google Workspace and Cloud Identity HIPAA Implementation Guide to help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with Workspace and Cloud Identity.

Frequently asked questions

How can I receive a copy of my electronically accepted HIPAA BAA?

The HIPAA BAA is made available to customers for electronic acceptance via their Admin console. Such an electronic agreement is as binding as a paper-based agreement—i.e., it has the same legal effect. For the purposes of demonstrating electronic acceptance, the customer can produce a screenshot of their Admin Console/HIPAA acceptance log that gets shown in the Legal & Compliance section. This event is also reflected in the Admin Audit log.

Are the third-party applications covered under Google Workspace BAA?

Third-party applications including add-ons are not included in the Included Functionality covered by the BAA. Consider checking our HIPAA Implementation Guide for further information.

How should I send documents to an external domain in a manner that supports my HIPAA compliance?

When sharing PHI in or outside the Google Workspace domain, customers should follow their organizational policies on handling PHI. Customers can choose the corresponding sharing method in or outside of Google Workspace to comply with those policies and consistent with the domain-wide settings of Google Workspace. The HIPAA Implementation Guide provides guidance on limiting access to PHI within a Google Workspace domain, such as sharing with specific recipients as opposed to anybody with the link.

Does Google have any plans to add Google products that are not currently covered in the HIPAA Included Functionality?

Google continues to evaluate the scope of the Included Functionality and may include additional products in the future. Please note, neither the Google Workspace DPA nor the  Google Workspace BAA terms extend to Additional Google Services. Google continues to evaluate methods to provide additional controls related to Additional Google Services and may introduce those as part of the functionality of the Services at any time.

See also

Thông tin này có hữu ích không?
Chúng tôi có thể cải thiện trang này bằng cách nào?

Bạn cần trợ giúp thêm?

Đăng nhập để xem thêm tùy chọn hỗ trợ giúp nhanh chóng giải quyết sự cố