The Cloud: Google Apps for Business and HIPAA Compliance

December 18, 2013 | By Lawrence J. Tabas

Does your company use Google Apps for Business? Are you a health care provider, health plan, or health care clearinghouse (“Covered Entity” or “Covered Entities”) subject to the Health Insurance Portability and Accountability Act (“HIPAA”)? If you answered yes to these questions, you may need a business associate agreement (“BAA”) with Google. The information below applies only if the Covered Entity is paying Google to use premium Google Apps for Business.

Google posted its new BAA policy in September 2013 to comply with the HIPAA Omnibus Final Rule, effective since March 26, 2013 (the “HIPAA Final Rule”). Google now requires Covered Entities using Google Apps for the storage of protected health information (“PHI”) to sign a BAA.

The HIPAA Final Rule made clear that the definition of business associate includes cloud service providers, which are entities that provide off-site storage and computing services through the internet. Google Apps for Business falls within the expanded definition of a business associate; for a fee, it gives users access to Google’s “cloud-based productivity suite,” including Gmail, Google Calendar, Google Drive, and the Google Apps Vault (collectively, “Google Apps”), to manage their businesses.

Previously, cloud service providers allegedly fell into the “conduit exception” to the HIPAA requirements. The exception, which exempts certain entities from signing BAAs (like wireless carriers and delivery companies possessing PHI for transitory periods as “conduits”), was narrowed in the HIPAA Final Rule. Cloud service providers maintaining PHI as part of their services are now considered business associates under the HIPAA Final Rule, meaning that Covered Entities must have a BAA with such providers.  This is true even where the cloud service provider is not accessing any of the PHI stored on its system.

Google places the burden on the user of Google Apps to decide whether it is subject to the HIPAA Final Rule and if it is using Google Apps for PHI storage. Google requires that Covered Entities verify to Google that they are subject to the requirements of the HIPAA Final Rule and are using Google Apps to store PHI before allowing covered entities to electronically sign a BAA.

Google states that customers who do not have a BAA with Google are not permitted to use Google Apps for storage of PHI.

If your business is using “Standard Edition Google Apps”—in other words, Google’s free services, like Gmail—to send or store PHI, you should be aware that Google does not offer BAAs in conjunction with such use. Health care professionals and entities using free Google products should review their procedures and policies to ensure that such use is compliant with the HIPAA Final Rule.

To read more about Google’s policy and review the Google BAA, visit:

Categorized In: Business Associates, HIPAA, Privacy

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author