Is your sensitive data at risk? Request a free scan to learn more.


Download free DLP for AI whitepaper


  • For healthcare organizations wishing to make Google Workspace HIPAA compliant, the first step is to enter a Business Associate Agreement (BAA) with Google.
  • Don’t be fooled into thinking the BAA equals HIPAA compliance, though. As Google notes, the platform “must be configured by IT administrators to ensure that PHI is properly protected.”
  • To protect PHI and uphold compliance, organizations should therefore look to cloud-based data loss prevention (DLP) tools like Polymer DLP, which intelligently secure PHI within Google Workspace.

Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must put in place specific controls to protect the confidentiality, integrity and availability of protected health information (PHI). 

However, complying with HIPAA today is much more complex than it was twenty years ago. As congress recently noted, “advances in electronic technology could erode the privacy of health information.”

One such electronic technology is the cloud and, more specifically, Google Workspace. Below, we’ll explore what HIPAA says about using cloud apps like Google Workspace and how to make the solution HIPAA compliant

What does HIPAA say about cloud applications?

Two HIPAA rules specifically mention healthcare data in cloud environments: the Security Rule and the Privacy Rule. 

The Security Rule was enacted in 2005 and contains numerous clauses that govern how organizations should store, collect and handle electronic PHI (ePHI). These policies include: 

  • Administrative: Focuses on the policies and procedures that safeguard against a data breach, including documentation process, roles and responsibilities, training and data practices. 
  • Physical: Ensures that data is physically secure using measures such as CCTV, secure computer locations and manual measures like locked doors and windows. 
  • Technical: Focuses on the technology solutions and procedures that prevent data from being maliciously or improperly accessed. Implementations for this include encryption, regular auditing and multi-factor authentication. 

There’s also the HIPAA Privacy Rule to consider, which was enacted in 2003. The Privacy Rule cements a definition of PHI and enforces strict rules that organizations must follow to prohibit the unauthorized disclosure of PHI and ePHI. 

As part of this, the Privacy Rule mandates that organizations must protect ePHI with appropriate technical controls while also limiting user access to a must-know basis. It also introduces the “Minimum Necessary Rule”, which explains that healthcare providers can only disclose PHI or ePHI within very limited circumstances, unless for the purpose of treatment. 

Lastly, there is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which came into force in 2013. The act strengthened the privacy and security provisions of HIPAA within the digital landscape. 

All of these rules coalesce to create a stringent and complex set of standards that healthcare companies must adhere to when using cloud applications like Google Workspace, Slack and Teams. 

Is the cloud a good idea for healthcare organizations? 

All healthcare organizations know that the breach penalties for HIPAA violations can be severe–so much so that they may hesitate to harness the power of cloud applications like Google Workspace. 

Ultimately, though, healthcare companies should remember the cloud presents a fantastic opportunity in a number of ways, enabling organizations to deliver higher levels of patient care while reducing costs, and embrace innovative devices like digital-driven pacemakers and virtual reality that enhance healthcare outcomes. 

Beyond that, from an efficiency and productivity perspective, the seamlessness of cloud apps like Google Workspace empowers healthcare employees to work smarter; for example, enabling them to check their workload on any device at any time.

With so much to gain from the cloud, it’s clear that healthcare companies must keep up with the pace of change. However, securing PHI and abiding by HIPAA must be an integral focal point of any cloud transformation strategy. 

Afterall, the very nature of the cloud makes accessing, sharing and transferring data much easier than ever before. Under federal law, PHI must remain secure, accessed only by authorized users for legitimate reasons. 

The good news, though, is that the likes of Google Workspace can be made HIPAA compliant, as long as you have the right tools and policies at your disposal. 

How to make Google Workspace HIPAA compliant?

Google has publicly said that Google Workspace can be made compatible with HIPAA, and therefore suitable for storing PHI. However, it’s vital to note that the solution is not HIPAA-compliant by default. 

For healthcare organizations that wish to make Google Workspace HIPAA compliant, the first step is to enter a Business Associate Agreement (BAA) with Google. Under Google’s BAA, PHI is only allowed in a section of Google services, known as “included functionality” within the BAA. 

These services are: Gmail, Google Drive (including Docs, Sheets, Slides, and Forms), Google Calendar, Google Sites, and Google Apps Vault.

Remember that, even after you’ve signed a BAA with Google, these services are not automatically safe for PHI. As Google itself notes, these tools “must be configured by IT administrators to help ensure that PHI is properly protected.”

And herein lies the most important aspect of HIPAA compliance and cloud services like Google Workspace: the cloud’s shared responsibility model. As the industry magazine, HIPAA Journal, recently noted: 

“There is no such thing as a HIPAA-compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is used to secure data in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, the HIPAA Security Rule could easily be violated.”

Reinforcing this is Google’s own phrasing about HIPAA compliance and Google Workspace. It explains that “customers are responsible for ensuring that they use Google services in compliance with HIPAA. Customers are responsible for fulfilling an individual’s right of access, amendment, and accounting in accordance with the requirements under HIPAA.” 

Upholding HIPAA Compliance in Google Workspace 

So, while it’s quite straightforward for healthcare organizations to make Google Workspace technically HIPAA compliant with a BAA, upholding the security, availability and integrity of PHI in this solution is a whole other matter. 

Healthcare organizations need a tool that helps them discover, classify and protect PHI in both unstructured and structured formats in the cloud, reducing any chances of data leakage, theft or unauthorized access. 

Enter cloud data loss prevention (DLP) tools like Polymer DLP.  Using APIs, our tool extends data protection outside of the corporate network and directly into SaaS applications like Google Workspace, empowering you with much needed control and visibility over where PHI is and who is attempting to access it. 

Here’s how cloud DLP can help you meet HIPAA requirements in Google Workspace:

Autonomous compliance

Using pre-defined HIPAA policy templates, our solution seamlessly monitors your Google Workspace environment to ensure that PHI stays secure at all times.  

Harnessing the power of natural language processing, our tool seamlessly and intelligently redacts unstructured, in-motion PHI across your cloud environment. From there, it ensures that only trusted users interact with this data in a compliant way, preventing accidental data leakage or data theft.

Real-time threat detection 

Moving beyond data, next-generation DLP solutions are also contextually-aware. This means that they can protect against insider threats by spotting and responding to suspicious activity in real-time. 

For example, suppose a user attempts to download a patient’s file without authorization. In that case, the DLP solution will block the action and alert the IT team at the same time so they can review the request in more detail. Rather than being on the back foot and responding to breaches when it’s too late, your team can become proactive security guardians.

Boost security awareness

Polymer DLP helps your employees become more security-conscious. They integrate nudges and reminders into the daily workflow, highlighting to users if they are about to take a ‘risky’ security action. Over time, these reminders can help build a security-focused culture in your organization

Seamless auditing

Polymer DLP will monitor, record and log the data journey of your PHI. Not only does this help your healthcare IT team to make security improvements, but it makes the auditing process much more accessible–the hard work is already done for you!

Enhance Google Workspace security today 

Polymer DLP is well-placed to help you meet HIPAA requirements. Our solution identifies, alerts & secures sensitive healthcare data in real-time over chats, file storage platforms, ticketing systems & codebases. Learn more about Polymer for Google Workspace today. 

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.