Google BAA

HIPAA Compliance with a Google BAA


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Google G Suite apps are commonly used by many behavioral health professionals to run their business–but when it comes to signing a proper Google BAA, there are some major misunderstandings in the market.

BAA stands for Business Associate Agreement. BAAs are contracts that are federally required by HIPAA regulation. Before any protected health information (PHI) is transmitted between two organizations, a BAA must be executed. PHI is considered any demographic information that can be used to identify a patient. This includes names, addresses, dates of birth, full facial photos, social security numbers, financial information, insurance ID numbers, and health records, to name a few.

G Suite Services is a common name for Google apps used by business owners, which includes Gmail, Google Drive, and Google Calendar. Behavioral health professionals using these services to in any way handle, store, or encounter PHI must execute a BAA with Google.

Signing a Google BAA

Because of the scope of information that can be stored in G Suite apps, it’s essential that you execute a Google BAA. Like many other cloud service providers, Google will sign a BAA if certain requirements are met.

G Suite Services allows Business users to request BAAs for their organizations. Google Apps for Business is a paid version of regular Google services. The free version is commonly used for personal emails. If your organization pays Google to use its Google Apps for Business services, your system administrator can request a BAA.

Once you sign your Google BAA, your organization will need to ensure that your G Suite services are properly configured to handle PHI. Security and privacy settings must be calibrated in order to comply with HIPAA regulation.

For more information on exactly how to make your G Suite Services and Gmail HIPAA compliant, click to read this HIPAA educational whitepaper!

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x