Google Docs is not HIPAA compliant by default, but it can be used in a HIPAA-compliant way when it’s part of a paid Google Workspace account with the right configuration. The free consumer version of Google Docs, the one tied to a standard @gmail.com account, cannot be made HIPAA compliant under any circumstances. There is no way to sign the required legal agreement with Google on a free account.
Why the Free Version Doesn’t Qualify
HIPAA requires that any cloud service handling protected health information (PHI) sign a Business Associate Agreement (BAA) with the organization using it. This is a legal contract where the service provider commits to specific safeguards for health data. Google only offers a BAA through paid Google Workspace subscriptions, and the agreement is accepted electronically through the admin console. Free Gmail and Google Docs accounts have no admin console, no BAA option, and no way to meet this fundamental legal requirement.
This is a hard line. Even if you enabled every possible security setting on a free Google account, the absence of a BAA means using it for PHI is a HIPAA violation.
What a Paid Google Workspace Account Gets You
With a paid Google Workspace subscription, an organization’s super administrator can accept Google’s BAA directly from the admin console under Account Settings, then Legal and Compliance. The electronic acceptance carries the same legal weight as a paper agreement, and a screenshot of the acceptance screen serves as documentation.
The BAA doesn’t cover every Google product automatically. It applies only to services Google specifically lists on its HIPAA Included Functionality page. Google Docs, Google Drive, Gmail, Google Sheets, Google Slides, Google Calendar, and Google Meet are among the covered services, but you need to verify the current list because Google updates it. Any product not explicitly listed should not be used with PHI, even if it’s part of your Workspace subscription.
Google’s Security Infrastructure
Google encrypts all stored data using AES-256, the same encryption standard used by banks and government agencies. This encryption happens at multiple layers: the storage system level, the individual device level, and through a nested system of encryption keys where each key is itself encrypted by another key. Data moving between your browser and Google’s servers is also encrypted in transit.
Google’s cryptographic systems are validated against the federal FIPS 140-2 standard, which is the benchmark the U.S. government uses for approving encryption modules. For organizations handling health data, this level of infrastructure security is a baseline expectation, and Google meets it.
Compliance Is a Shared Responsibility
Signing the BAA and relying on Google’s encryption is not enough. Google itself is explicit about this: HIPAA compliance is a shared responsibility between Google and the customer. There is no official HIPAA certification recognized by the U.S. Department of Health and Human Services, for Google or anyone else. Google provides the secure infrastructure. Your organization is responsible for how you configure and use it.
That means the way your team shares documents, who has access to files, and how you manage user accounts all fall on you. A Google Doc containing patient records that’s shared via a public link is a compliance failure on your end, not Google’s.
Configuration Steps That Matter
Once the BAA is in place, administrators need to lock down several settings to maintain compliance:
- Restrict external sharing. Default sharing settings in Google Drive should prevent users from sharing files outside the organization, or at minimum require explicit approval for external access. Link sharing set to “anyone with the link” is a fast path to a violation.
- Enforce two-factor authentication. Every user account that could access PHI should require a second verification step at login. Google Workspace supports this at the admin level so it can be mandatory rather than optional.
- Disable non-covered services. If a Google product isn’t on the BAA’s covered services list, disable it for users who handle PHI. Using an uncovered product with health data puts you outside the BAA’s protections.
- Review audit logs. Google Workspace generates detailed audit logs tracking login events, file access, sharing changes, admin actions, and third-party app authorizations. These logs are essential for demonstrating compliance during an audit and for catching unauthorized access early. Admin activity logs are retained in a required bucket that can’t be modified, while other logs can be configured for retention periods up to 3,650 days.
Third-Party Add-Ons Are a Blind Spot
Google’s BAA covers Google Workspace services specifically listed on their functionality page. It does not extend to third-party apps installed from the Google Workspace Marketplace. If your team uses an add-on for e-signatures, mail merge, or project management within Google Docs, that add-on may access document contents, including any PHI. Each third-party tool needs its own BAA and its own security evaluation.
Google Workspace audit logs do track when third-party applications are authorized to access account data, which helps administrators monitor what tools are connecting. But monitoring access isn’t the same as securing it. The safest approach is to restrict which Marketplace apps users can install through admin controls, allowing only vetted tools that have their own HIPAA-compliant agreements in place.
What This Looks Like in Practice
A medical practice, therapy office, or health tech company that wants to use Google Docs with patient information needs, at minimum: a paid Google Workspace subscription, an accepted BAA in the admin console, sharing restrictions that prevent PHI from leaking outside the organization, enforced two-factor authentication, and disabled access to any Google services not covered by the BAA. They also need to train staff on what they can and can’t do, because the most common HIPAA breaches come from human error, not infrastructure failures.
Organizations that already use Google Workspace for general business operations can often layer HIPAA compliance onto their existing setup without switching platforms. The infrastructure is capable. The question is whether your organization is willing to configure it properly and maintain those settings over time.