The most common HIPAA violation I encounter during healthcare practice assessments is the one nobody suspects. Not missing encryption. Not absent MFA. A therapist, office manager, or billing coordinator sending patient intake forms through a personal @gmail.com Google Drive account. The practice has processed hundreds of patient records through the account for years. Nobody questioned it because Google Drive “has encryption.”
Google does not sign a Business Associate Agreement for free consumer accounts. Every patient record transmitted through a personal Gmail or free Drive account constitutes an unauthorized PHI disclosure [HIPAA 164.402]. OCR classifies the violation as willful neglect when the practice had access to a compliant alternative and chose not to use it [164.404(b)]. The violation is structural, not behavioral. No amount of internal policy changes makes a free account HIPAA-eligible.
Google Drive supports HIPAA compliance on Workspace Business Standard, Business Plus, and Enterprise editions with a signed BAA and four admin console configurations most practices skip.
Yes, HIPAA requires a BAA for Google Drive when storing or transmitting PHI [164.502(e)]. Google signs BAAs only for Workspace Business Standard, Business Plus, and Enterprise editions. Free accounts and Business Starter are ineligible. Signing the BAA alone is insufficient. Four admin console configurations must be applied before the account is compliant.
Why Free Google Accounts Violate HIPAA
Free Google accounts (@gmail.com) are consumer products, and OCR classifies their use for PHI as willful neglect carrying Tier 2 penalties starting at $1,000 per violation [HIPAA 164.404(b)]. Google’s Terms of Service for consumer accounts reserve the right to process data for advertising purposes. Google does not sign a Business Associate Agreement for these accounts under any circumstances [Google Workspace HIPAA Implementation Guide].
The violation is structural, not behavioral. No amount of encryption, two-factor authentication, or internal policy changes makes a free account HIPAA-eligible. The account lacks the contractual framework HIPAA demands at 164.502(e).
The most common scenario: a practice hires a new clinician and tells them to use their personal Gmail until a workspace license is purchased. One patient file stored in the account creates an immediate violation. Every file after compounds the exposure.
1. Audit every email address accessing PHI across your organization. Flag any @gmail.com, @yahoo.com, or other consumer email accounts. 2. Migrate all PHI from consumer accounts to a BAA-eligible Workspace edition within 30 days. 3. Document the migration date, the accounts remediated, and the data transferred. Retain this evidence for OCR inquiries [164.530(j)].
Which Workspace Tiers Support a BAA
Google restricts BAA eligibility to specific Workspace editions, with Business Standard starting at $12/user/month as the minimum BAA-eligible tier. The distinction trips up small practices purchasing the lowest-cost plan without checking compliance eligibility. The table below shows each edition’s BAA status and HIPAA readiness.
| Workspace Edition | BAA Eligible | HIPAA Status |
|---|---|---|
| Free / Personal | No | Never compliant. No BAA available. |
| Business Starter | No | Upgrade to Standard required. |
| Business Standard | Yes | Compliant with configuration. |
| Business Plus | Yes | Compliant with configuration. |
| Enterprise | Yes | Compliant. Advanced security controls. |
Business Starter costs less per user but excludes BAA eligibility, Vault for data retention, and advanced endpoint management. Practices running Business Starter with PHI in Drive operate in continuous violation regardless of internal security measures.
How to Locate and Accept the BAA
Google does not surface the BAA in the billing dashboard or account overview. The agreement is buried in the Admin Console under legal terms.
Log in to admin.google.com as a Super Admin. Open Account > Legal and Compliance. Locate Security and Privacy Additional Terms. Select Google Workspace/Cloud Identity HIPAA Business Associate Amendment. Click Accept.
If the HIPAA amendment does not appear, the account is on an ineligible tier. Upgrade to Business Standard or higher before proceeding.
1. Verify your Workspace edition supports BAA acceptance (Business Standard, Business Plus, or Enterprise). 2. Accept the BAA through Admin Console > Account > Legal and Compliance. 3. Screenshot the accepted BAA with the acceptance date visible. Store this screenshot in your HIPAA compliance documentation. Auditors request BAA evidence during every assessment [164.308(b)(4)].
What Four Configurations Are Mandatory After Signing the BAA?
Signing the BAA is the legal prerequisite, but approximately 60% of healthcare organizations running paid Workspace plans have never applied the required technical configurations after BAA acceptance. It does not change a single technical setting. Google’s own HIPAA Implementation Guide lists specific configurations required after BAA acceptance. Most practices sign the BAA and stop. Auditors do not.
Restrict External Sharing
Open the Admin Console. Go to Apps > Google Workspace > Drive and Docs > Sharing settings. Set sharing to “On, Trusted Domains Only.” This prevents staff from sharing patient files with personal @gmail.com addresses or external parties without organizational approval.
The default Workspace setting allows sharing with anyone. A single employee generating a public link to a patient folder creates an unencrypted, publicly accessible copy of PHI.
Enforce Two-Factor Authentication
Navigate to Security > 2-Step Verification. Set enforcement to On for the entire organization. Disable the grace period for new users. HIPAA requires access controls proportional to the sensitivity of the data [164.312(d)]. Single-factor authentication for accounts accessing PHI fails this standard in 2026.
Disable Offline Access
Go to Apps > Google Workspace > Drive and Docs > Features and Applications. Turn off Offline. Offline access caches patient files on local devices. A stolen laptop with cached offline files contains unencrypted PHI outside Google’s security perimeter. The BAA does not cover data stored on the user’s local machine.
Disable Link Sharing Defaults
Under Drive and Docs > Sharing settings > Link sharing default, set to Off. Users should share files by inviting specific email addresses, not generating open links. Open links create persistent access the organization loses the ability to track or revoke.
1. Restrict external sharing to trusted domains only in Admin Console > Drive and Docs > Sharing settings. 2. Enforce 2FA organization-wide with no grace period. 3. Disable offline access for all organizational units handling PHI. 4. Set link sharing default to Off. Document each configuration change with a screenshot and the date applied. Retain evidence in your SaaS compliance documentation file [164.312(a)(1)].
How Do Google Marketplace Apps Create HIPAA Violations?
Google’s BAA covers only Core Services (Drive, Gmail, Calendar, Chat, Meet, Docs), and each unauthorized third-party Marketplace app accessing PHI creates a separate HIPAA violation under 164.308(b)(1) [Google BAA Section 1.4].
A practice signs the BAA with Google. The office manager installs a free PDF signing tool and a scheduling widget from the Marketplace. Both tools request access to Google Drive. Both tools now process PHI. Neither vendor has signed a BAA with the practice.
Two new HIPAA violations. One for each vendor.
Auditing Marketplace Apps
Open Apps > Google Workspace Marketplace Apps in the Admin Console. Review every installed application. For each app with access to Drive, Gmail, or Calendar data, verify the vendor has signed a separate BAA with your organization. If the vendor does not offer a BAA, uninstall the application immediately.
Restrict future installations to admin-approved applications only. Set Marketplace settings to allow only allowlisted apps. This prevents staff from granting PHI access to unvetted vendors through self-service installation.
1. Export a list of all installed Marketplace apps from Admin Console > Apps > Marketplace Apps. 2. Cross-reference each app against your BAA inventory. Flag any app accessing Drive, Gmail, or Calendar without a signed BAA. 3. Uninstall non-compliant apps within 48 hours. 4. Set Marketplace permissions to “Allow only specific apps” to prevent unauthorized installations [164.308(a)(4)].
Services the BAA Does Not Cover
Google classifies its products as Core Services and Additional Services, and the BAA covers Core Services only [Google BAA Section 1.4]. Additional Services include YouTube, Google Maps, Blogger, and Google Groups (in certain configurations).
A physical therapy practice records patient exercise demonstrations and uploads them to YouTube as unlisted videos. YouTube is an Additional Service. The BAA does not cover it. Each video containing identifiable patient information constitutes a violation regardless of the video’s privacy setting.
Review Google’s Core Services list before using any Google product for PHI. If a service is not listed as Core, treat it as non-compliant for PHI purposes.
1. Download Google’s current Core Services list and include it in your HIPAA documentation. 2. Audit all Google services in use across your organization. Flag any Additional Services used with PHI. 3. Migrate PHI workflows off Additional Services to Core Services or third-party tools with signed BAAs. 4. Train staff on the distinction between Core and Additional Services during annual HIPAA training [164.308(a)(5)].
Google Drive is technically capable of HIPAA compliance. Most practices using it are not compliant. The failure point is not the platform. It is the configuration gap between signing the BAA and actually applying the four mandatory settings. Sign the BAA, lock down sharing, enforce 2FA, audit your Marketplace apps, and document every step. The platform works. The defaults do not.
Frequently Asked Questions
Does the Google BAA cover Google Calendar?
Yes. Google Calendar is a Core Service included in the BAA [Google BAA Section 1.4]. Calendar notifications sent to patients via email must not contain sensitive PHI in the subject line or body unless the email connection uses enforced TLS.
Does the Google BAA cover YouTube?
YouTube is classified as an Additional Service and is excluded from the Google Workspace HIPAA BAA, regardless of video privacy settings or access restrictions [Google BAA Section 1.4]. Do not upload patient videos, identifiable exercise recordings, or any PHI to YouTube regardless of privacy settings.
Does encrypting files make a free Google account HIPAA-compliant?
Client-side encryption does not make a free Google account HIPAA-compliant because HIPAA requires a BAA with any vendor maintaining PHI under 164.502(e), and Google retains file metadata on its servers regardless of encryption status. Google maintains file metadata (filenames, timestamps, access logs) on its servers regardless of client-side encryption. The BAA requirement applies to the service relationship, not the encryption status of individual files.
What happens if a staff member shares PHI via a public Drive link?
A publicly accessible link containing PHI constitutes an impermissible disclosure under the Privacy Rule [164.502(a)]. The incident requires a risk assessment under the Breach Notification Rule [164.402]. If the assessment determines a low probability of compromise, notification is not required. If the link was accessed by unauthorized individuals, patient notification and HHS reporting apply [164.404].
Does Google encrypt Drive files at rest?
Google encrypts all Drive data at rest using AES-256 encryption by default, satisfying the encryption at rest specification under 164.312(a)(2)(iv) without requiring any configuration [Google Security Whitepaper]. This satisfies the encryption at rest specification under 164.312(a)(2)(iv). The encryption is automatic and requires no configuration by the Workspace administrator.
How often should Marketplace apps be audited for BAA compliance?
Audit Marketplace apps quarterly. Staff install new apps between review cycles. Each installation creates a potential BAA gap if the app accesses PHI. Quarterly reviews align with the HIPAA requirement for periodic technical evaluation [164.308(a)(8)].
Does the BAA cover mobile access to Google Drive?
The Google Workspace BAA covers Drive as a Core Service regardless of access method (desktop, mobile, API), but the organization bears responsibility for mobile device management controls under 164.312(d). The compliance obligation shifts to the organization’s mobile device management: enforce passcodes, enable remote wipe, and restrict data caching on unmanaged devices [164.312(d)].
Is Google Workspace HIPAA-compliant out of the box?
Google Workspace is not HIPAA-compliant out of the box and requires manual BAA acceptance plus four specific admin console configurations before it meets Security Rule requirements. The default sharing, authentication, and offline access settings do not satisfy the Security Rule. Compliance is a configuration exercise, not a purchasing decision.
Get The Authority Brief
Weekly compliance intelligence for security leaders. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
