The most common HIPAA violation I encounter during healthcare practice assessments is the one nobody suspects. Not missing encryption. Not absent multi-factor authentication (MFA). A therapist, office manager, or billing coordinator sending patient intake forms through a personal @gmail.com Google Drive account. The practice has processed hundreds of patient records through the account for years. Nobody questioned it because Google Drive “has encryption.”
Google does not sign a Business Associate Agreement (BAA) for free consumer accounts. Every patient record transmitted through a personal Gmail or free Drive account constitutes an impermissible disclosure of protected health information (PHI) under the Privacy Rule (45 CFR 164.502(a)). When a practice had access to a BAA-eligible alternative and chose not to use it, OCR may treat the conduct as willful neglect under the culpability tiers at 45 CFR 160.404(b)(2)(iii) and (iv); willful neglect is defined at 45 CFR 160.401. The violation is structural, not behavioral. No amount of internal policy changes makes a free account HIPAA-eligible.
Google Drive supports HIPAA compliance on Workspace Business Standard, Business Plus, and Enterprise editions with a signed BAA and four admin console configurations most practices skip.
Yes, HIPAA requires a BAA for Google Drive when storing or transmitting PHI (45 CFR 164.308(b)(1); 164.502(e)). Google signs BAAs only for Workspace Business Standard, Business Plus, and Enterprise editions. Free accounts and Business Starter are ineligible. Signing the BAA alone is insufficient. Four admin console configurations must be applied before the account is compliant.
Why Free Google Accounts Violate HIPAA
Free Google accounts (@gmail.com) are consumer products. OCR classifies deliberate use of a free account for electronic PHI (ePHI), when a BAA-eligible alternative was available, as willful neglect under 45 CFR 160.404(b)(2)(iii) (willful neglect corrected within 30 days) or 160.404(b)(2)(iv) (willful neglect not timely corrected). The 2026 inflation-adjusted penalty ranges, effective January 28, 2026 (Federal Register, Jan 28, 2026; HHS 2019 Notification of Enforcement Discretion, 84 FR 18151): Tier 3 willful neglect corrected: $14,602 to $73,011 per violation (annual enforcement-discretion cap $365,052); Tier 4 willful neglect not corrected: $73,011 to $2,190,294 per violation (annual enforcement-discretion cap $2,190,294). Google’s Terms of Service for consumer accounts reserve the right to process data for advertising purposes. Google does not sign a Business Associate Agreement for these accounts under any circumstances, per Google’s HIPAA Implementation Guide for Workspace (support.google.com/a/answer/3407054).
No combination of encryption, two-factor authentication, or internal security policies fixes this. The account lacks the contractual framework HIPAA demands at 164.502(e). Without a BAA-eligible plan, the gap is legal, not technical.
The most common scenario: a practice hires a new clinician and tells them to use their personal Gmail until a workspace license is purchased. One patient file stored in the account creates an immediate violation. Every file after compounds the exposure.
The audit fix. 1. Audit every email address accessing PHI across your organization. Flag any @gmail.com, @yahoo.com, or other consumer email accounts. 2. Migrate all PHI from consumer accounts to a BAA-eligible Workspace edition within 30 days. 3. Document the migration date, the accounts remediated, and the data transferred. Retain this evidence for OCR inquiries under the Security Rule documentation standard (45 CFR 164.316(b)(2)(i)) and the Privacy Rule documentation standard (45 CFR 164.530(j)).
Which Workspace Tiers Support a BAA
Google restricts BAA eligibility to specific Workspace editions. Business Standard is the minimum BAA-eligible tier; verify current pricing at workspace.google.com/pricing. The distinction trips up small practices purchasing the lowest-cost plan without checking compliance eligibility. Business Starter and all consumer Gmail accounts are permanently ineligible, regardless of how you configure them.
| Workspace Edition | BAA Eligible | HIPAA Status |
|---|---|---|
| Free / Personal | No | Never compliant. No BAA available. |
| Business Starter | No | Upgrade to Standard required. |
| Business Standard | Yes | Compliant with configuration. |
| Business Plus | Yes | Compliant with configuration. |
| Enterprise | Yes | Compliant. Advanced security controls. |
Business Starter costs less per user but excludes BAA eligibility, Vault for data retention, and advanced endpoint management. Practices running Business Starter with PHI in Drive operate in continuous violation regardless of internal security measures.
How to Locate and Accept the BAA
Google does not surface the BAA in the billing dashboard or account overview. The agreement is buried in the Admin Console under legal terms.
Log in to admin.google.com as a Super Admin. Open Account > Legal and Compliance. Locate Security and Privacy Additional Terms. Select Google Workspace/Cloud Identity HIPAA Business Associate Amendment. Click Accept.
If the HIPAA amendment does not appear, the account is on an ineligible tier. Upgrade to Business Standard or higher before proceeding.
The audit fix. 1. Verify your Workspace edition supports BAA acceptance (Business Standard, Business Plus, or Enterprise). 2. Accept the BAA through Admin Console > Account > Legal and Compliance. 3. Screenshot the accepted BAA with the acceptance date visible. Store this screenshot in your HIPAA compliance documentation. Auditors typically request BAA evidence during assessments; retain documentation under 45 CFR 164.316(b) (Security Rule documentation standard).
What Four Configurations Are Mandatory After Signing the BAA?
Signing the BAA is the legal prerequisite. It does not change a single technical setting. Google’s own HIPAA Implementation Guide lists specific configurations required after BAA acceptance. Most practices sign the BAA and stop. Auditors do not.
Restrict External Sharing
Open the Admin Console. Go to Apps > Google Workspace > Drive and Docs > Sharing settings. Set sharing to “On, Trusted Domains Only.” This prevents staff from sharing patient files with personal @gmail.com addresses or external parties without organizational approval.
The default Workspace setting allows sharing with anyone. A single employee generating a public link to a patient folder creates an unencrypted, publicly accessible copy of PHI.
Enforce Two-Factor Authentication
Open Security > 2-Step Verification. Set enforcement to On for the entire organization. Disable the grace period for new users. The Security Rule’s Person or Entity Authentication standard (45 CFR 164.312(d)) requires verifying that a person seeking access is who they claim to be. The January 6, 2025 HIPAA Security Rule NPRM (90 FR 898) proposes mandatory MFA; the current rule does not specify authentication method, but industry practice for ePHI systems has converged on MFA as the practical baseline for any BAA-covered environment.
Disable Offline Access
Go to Apps > Google Workspace > Drive and Docs > Features and Applications. Turn off Offline. Offline access caches patient files on local devices. A stolen laptop with cached offline files contains unencrypted PHI outside Google’s security perimeter. The BAA does not cover data stored on the user’s local machine.
Disable Link Sharing Defaults
Under Drive and Docs > Sharing settings > Link sharing default, set to Off. Users should share files by inviting specific email addresses, not generating open links. Open links create persistent access the organization loses the ability to track or revoke.
The audit fix. 1. Restrict external sharing to trusted domains only in Admin Console > Drive and Docs > Sharing settings. 2. Enforce 2FA organization-wide with no grace period. 3. Disable offline access for all organizational units handling PHI. 4. Set link sharing default to Off. Document each configuration change with a screenshot and the date applied. Retain evidence in your SaaS compliance documentation file under 45 CFR 164.316(b) (Security Rule documentation retention standard).
How Do Google Marketplace Apps Create HIPAA Violations?
Google’s BAA covers only Core Services (Drive, Gmail, Calendar, Chat, Meet, Docs), and each unauthorized third-party Marketplace app accessing PHI creates a separate HIPAA violation under 164.308(b)(1), per the Google Workspace HIPAA BAA (Section 1, Definitions, and Attachment 1; full covered-services scope available at support.google.com/a/answer/3407054).
A practice signs the BAA with Google. The office manager installs a free PDF signing tool and a scheduling widget from the Marketplace. Both tools request access to Google Drive. Both tools now process PHI. Neither vendor has signed a BAA with the practice.
Two new HIPAA violations. One for each vendor.
Auditing Marketplace Apps
Open Apps > Google Workspace Marketplace Apps in the Admin Console. Review every installed application. For each app with access to Drive, Gmail, or Calendar data, verify the vendor has signed a separate BAA with your organization. If the vendor does not offer a BAA, uninstall the application immediately.
Restrict future installations to admin-approved applications only. Set Marketplace settings to allow only allowlisted apps. This prevents staff from granting PHI access to unvetted vendors through self-service installation.
The audit fix. 1. Export a list of all installed Marketplace apps from Admin Console > Apps > Marketplace Apps. 2. Cross-reference each app against your BAA inventory. Flag any app accessing Drive, Gmail, or Calendar without a signed BAA. 3. Uninstall non-compliant apps within 48 hours. 4. Set Marketplace permissions to “Allow only specific apps” to prevent unauthorized installations (45 CFR 164.308(a)(4)).
Services the BAA Does Not Cover
Google classifies its products as Core Services and Additional Services, and the BAA covers Core Services only, per the Google Workspace HIPAA BAA (Section 1, Definitions, and Attachment 1). Additional Services include YouTube, Google Maps, Blogger, and Google Groups (in certain configurations).
A physical therapy practice records patient exercise demonstrations and uploads them to YouTube as unlisted videos. YouTube is an Additional Service. The BAA does not cover it. Each video containing identifiable patient information constitutes a violation regardless of the video’s privacy setting.
Review Google’s Core Services list before using any Google product for PHI. If a service is not listed as Core, treat it as non-compliant for PHI purposes. The full covered-services scope is documented in the Google Workspace HIPAA BAA and its Attachment 1 (support.google.com/a/answer/3407054).
The audit fix. 1. Download Google’s current Core Services list and include it in your HIPAA documentation. 2. Audit all Google services in use across your organization. Flag any Additional Services used with PHI. 3. Migrate PHI workflows off Additional Services to Core Services or third-party tools with signed BAAs. 4. Train staff on the distinction between Core and Additional Services during annual HIPAA training (45 CFR 164.308(a)(5)).
Google Drive is technically capable of HIPAA compliance. Most practices using it are not compliant. The failure point is not the platform. It is the configuration gap between signing the BAA and actually applying the four mandatory settings. Sign the BAA, lock down sharing, enforce 2FA, audit your Marketplace apps, and document every step. The platform works. The defaults do not.
Frequently Asked Questions
Does the Google BAA cover Google Calendar?
Yes. Google Calendar is a Core Service included in the BAA, per the Google Workspace HIPAA BAA (Section 1, Definitions, and Attachment 1). Calendar notifications sent to patients via email must not contain sensitive PHI in the subject line or body unless the email connection uses enforced TLS.
Does the Google BAA cover YouTube?
YouTube is classified as an Additional Service and is excluded from the Google Workspace HIPAA BAA, regardless of video privacy settings or access restrictions, per the Google Workspace HIPAA BAA (Section 1 and Attachment 1; support.google.com/a/answer/3407054). Do not upload patient videos, identifiable exercise recordings, or any PHI to YouTube regardless of privacy settings.
Does encrypting files make a free Google account HIPAA-compliant?
Client-side encryption does not make a free Google account HIPAA-compliant. HIPAA requires a BAA with any vendor maintaining PHI (45 CFR 164.308(b)(1); 164.502(e)), and Google retains file metadata (filenames, timestamps, access logs) on its servers regardless of client-side encryption. The BAA requirement applies to the service relationship, not the encryption status of individual files.
What happens if a staff member shares PHI via a public Drive link?
A publicly accessible link containing PHI constitutes an impermissible disclosure under the Privacy Rule (45 CFR 164.502(a)). The incident requires a risk assessment under the Breach Notification Rule (45 CFR 164.402). If the assessment determines a low probability of compromise, notification is not required. If the link was accessed by unauthorized individuals, patient notification applies (45 CFR 164.404); if 500 or more individuals in a single state are affected, media notification applies (45 CFR 164.406); HHS Secretary notification applies in all breach cases (45 CFR 164.408).
Does Google encrypt Drive files at rest?
Google encrypts all Drive data at rest using AES-256 encryption by default. This satisfies the addressable Encryption and Decryption implementation specification at 45 CFR 164.312(a)(2)(iv) [Google Security Whitepaper]. Note that 164.312(a)(2)(iv) is an addressable specification: the current Security Rule is technology-neutral and does not mandate a specific cipher. HHS guidance and NIST SP 800-111 establish AES as the practical baseline. The encryption is automatic and requires no configuration by the Workspace administrator.
How often should Marketplace apps be audited for BAA compliance?
Audit Marketplace apps quarterly. Staff install new apps between review cycles. Each installation creates a potential BAA gap if the app accesses PHI. Quarterly reviews align with the HIPAA requirement for periodic technical evaluation (45 CFR 164.308(a)(8)).
Does the BAA cover mobile access to Google Drive?
The Google Workspace BAA covers Drive as a Core Service regardless of access method (desktop, mobile, API). The compliance obligation shifts to the organization’s mobile device management: enforce passcodes, enable remote wipe, and restrict data caching on unmanaged devices (45 CFR 164.312(d), Person or Entity Authentication).
Is Google Workspace HIPAA-compliant out of the box?
Google Workspace is not HIPAA-compliant out of the box and requires manual BAA acceptance plus four specific admin console configurations before it meets Security Rule requirements. The default sharing, authentication, and offline access settings do not satisfy the Security Rule. Compliance is a configuration exercise, not a purchasing decision.
Subscribe to The Authority Brief for next week’s analysis.