There’s a common misconception that Gmail (and Google Workspace) is a HIPAA-compliant solution as soon as you set it up. The reality is, most therapists don’t take the extra steps to sign a Business Associate Agreement (BAA) or properly secure their account — which means their clients’ PHI may not be as protected as they think.
After doing dozens of Google Workspace audits for therapists, I can tell you — almost no one gets this right the first time.
And it’s not your fault. Google doesn’t exactly make this information easy to find, and most therapists have no idea a BAA is even required. The good news? Once you know what to do, the fix is straightforward. This guide lays it all out, step by step, so you can protect your clients’ privacy, make your Gmail HIPAA compliant, and get back to doing what you do best.
If you’re short on time, just watch this video for a step-by-step walk-through of exactly how to make your gmail email and entire Google Workspace account HIPAA compliant.
Is Google Workspace HIPAA Compliant?
Yes and no. Google Workspace can be HIPAA compliant, but it’s not automatically set up that way. You must sign a Business Associate Agreement (BAA) with Google to meet HIPAA requirements and adjust security settings to protect client information.
A BAA is a contract between you and Google. It confirms that Google will handle Protected Health Information (PHI) according to HIPAA rules. Without a signed BAA, using Google Workspace for client data is not HIPAA compliant. Once the BAA is in place, you must also configure security settings, enable encryption, and limit access to PHI.
Which Google Workspace Services are HIPAA-Compliant?
These Google Workspace services are HIPAA compliant if properly configured and covered under Google’s HIPAA Business Associate Agreement (BAA).
- Email (Not Free Gmail Accounts) – Secure email with encryption and proper access controls for business use.
- Google Calendar – Can be used for scheduling, but PHI should not be included in event descriptions.
- Google Drive (Docs, Sheets, Slides, Forms) – Secure cloud storage if file-sharing is restricted and external access is disabled.
- Duet AI for Google Workspace – AI-powered assistance covered under HIPAA if PHI security measures are followed.
- Google Chat – Secure internal messaging if external access is turned off.
- Google Meet – Can be used for telehealth if meetings are private and recordings are stored securely.
- Google Keep – A note-taking tool that must have restricted access to protect PHI.
- Google Sites – Can be used internally for documentation, but should not store PHI on public pages.
- Jamboard – Digital whiteboard for internal collaboration, but PHI should not be shared externally.
- Google Cloud Search – A secure search tool that allows authorized users to find information within Workspace.
- Google Voice (Managed Users Only) – HIPAA-compliant only for managed users, not for personal accounts.
- Cloud Identity Management – A security tool for user authentication and access control.
- Google Groups – Can be used internally, but should not be used for sharing PHI externally.
- Google Tasks – A task management tool that should not include PHI in task descriptions.
- Google Vault – Secure data archiving and retention for compliance and audits.
- Apps Script – An automation tool that must follow strict security settings when handling PHI.
- AppSheet – Custom app builder that must have proper access controls for PHI security.
How to Make Google Workspace HIPAA-Compliant
Setting up Google Workspace for HIPAA compliance is easier than you think. By following the steps below, you can protect client information, ensure your business Gmail meets HIPAA requirements, and confidently run your practice.
Step 1: Get a Google Workspace Account
Before making Google Workspace HIPAA-compliant, sign up for an account with a custom domain (e.g., yourpractice.com). This makes your emails and documents stay within a secure business environment.
- If you use Squarespace, log in at www.squarespace.com, go to Settings → Google Workspace, and follow the prompts. It’s free for the first year.
- If you don’t use Squarespace, sign up directly through Google Workspace.
Step 2: Sign in to Google Admin Console
Once you have a Google Workspace account, access the Admin Console to manage security settings and compliance.
- Go to admin.google.com.
- Log in with your Google Workspace email address (not a personal Gmail account).
Step 3: Click on the Account
After you click on Accounts, you come to Account Settings.
Step 4: Check Legal and Compliance Section
Scroll down to the Legal and Compliance section and click the drop-down arrow.
Step 5: Fill in the Details
Fill in the details.
- Your local privacy representative details
- Your data protection office details.
Both of them can be you.
Step 6: Review and Accept Additional Terms
Step 7: Find Google Workspace/Cloud Identity HIPAA Business Associate Amendment and click Review and Accept.
Answer the questions ‘Yes’ and click ‘OK’.
Click ‘Accept’ to accept the terms.
And you’re done. Once you complete these steps, your Google Workspace will be HIPAA-compliant and secure. This protects your clients, your practice, and your peace of mind. Google now considers your account HIPAA compliant.
You can now safely communicate with your clients using Google Workspace and a Gmail account. However, true compliance goes beyond just Google’s setup.
Protecting PHI on Phones, Laptops, and Personal Devices
Getting Google Workspace configured properly is a huge step toward protecting your clients’ privacy. But it’s only part of the equation. HIPAA compliance also depends on how you handle sensitive information on your end, especially on personal devices like phones, tablets, and laptops.
Even the most secure system won’t matter if someone can open your phone and see client emails, or if your laptop is lost or stolen without encryption. These everyday scenarios are where risks often slip in — and they’re often overlooked.
Here are a few simple ways to keep your devices HIPAA-compliant:
- Use strong passwords or biometric locks on all devices.
- Enable device encryption (this is built-in on most modern smartphones and laptops).
- Turn off notifications that might display client info on your lock screen.
- Avoid downloading client files unless necessary — and if you do, store them in encrypted folders.
- Keep personal and work accounts completely separate.
- Set devices to auto-lock after a short period of inactivity.
- Make sure your website isn’t storing any PHI.
- Regularly back up data securely and ensure you can wipe a device remotely if it’s lost or stolen.
By taking these precautions, you’re extending the same level of care and confidentiality you offer in session to the digital tools you use to run your practice.
