Is your Google Workspace HIPAA compliant? Not necessarily.
A note from Brie: This blog was originally written on April 24, 2026. Software is constantly updated which could lead to this blog post being outdated. This is meant to be informative and helpful, not the end all be all. Please use the links within this blog to ensure everything is still up to date!
If you’ve ever talked to a Boss Co team member, you know that we are BIG Google Workspace fans. It connects your practice together, it’s seamless, it’s fairly intuitive, they actually update things (looking at you Microsoft). We especially love it for large and small mental health practices alike. Solo practice owners or practice owners that have a small team and are on a small budget? You can schedule clients on Google Cal, keep notes in Google Drive, communicate via Google Chat, and see clients via HIPAA-compliant telehealth on Google Meet. Does your mental health group practice have a big team? Share Google Calendars with your team so everyone knows what’s going on, utilize Google Chat for inter-team communication, build out databases in Google Sheets and Google Drive.
With anything in your mental health practice, though, you need to make sure you are compliant and your information (and your clients’ information) is safe. This whole blog breaks down the things you need to know (and do) in Google Workspace to have that compliant workspace and peace of mind that you are COVERED.
You ready? Let’s get into it.
The one BIG thing you want to do before doing ANYTHING in Google is sign your BAA. If you’re a newbie business owner or just have no idea what that is (reminder, you don’t know what you don’t know and that’s OKAY):
A BAA is a Business Associate Agreement. It is a legally binding contract that you enter into with any/all third-party vendors who access Protected Health Information (PHI). HIPAA legally mandates BAA contracts for covered entities (these include contractors like your biller, scheduling team, operations team, etc., software, and anyone/anything else that has access to PHI). At Boss Co, we ensure that we have a BAA in place with every single client we work with - even if we’re not accessing PHI - and we have a BAA with any software we utilize with clients. (We LOVE compliance!)
Google Workspace has a built in BAA that you can sign (for free) with any paid Workspace account. This does not include personal or free accounts (think anything that ends with @gmail.com). If you still have a @gmail.com email address, it’s time to think about paying the $7/mo for a Workspace account to get protection (and added brand awareness, too!) 10000% worth it.
Check the status of your BAA
If you’re unsure if you’ve signed your BAA or just want to review it: Click here to log into the Admin app of your Google Workspace account. That link will direct you to the exact section where you’ll find the BAA (just scroll down). If you’re trying to find it on your own, log into the Admin app, click Account > Account Settings > Legal & Compliance > Scroll to the bottom.
This is the exact BAA you will sign.
(as of me writing this on 4/24/2026)
TL;DR or legalese is not a language you speak: It’s a whole lot of legal jargon saying that they won’t disclose PHI and work to safeguard the info within the parameters of their ability, won’t sell data, yada yada. Have your lawyer look it over and make sure you understand it.
Reminder: NEVER SIGN A LEGAL DOC THAT YOU DON’T UNDERSTAND!
The big thing you need to know, though, and the main reason for this email: not all Google Apps are covered under this BAA. GASP, we know. Cue Stephanie from Full House for you ‘90s babies: How rude!
Knowing what’s included in your Google Workspace BAA
Knowing what’s covered is half the battle. (Refer back to the reminder a couple lines up!!) Don’t worry, we’ve done the work for you.
In the BAA, you’ll see this line: “Covered Services” means the Google products and/or services specifically listed in the URLs on Attachment 1, as may be updated from time to time by Google with notice to Customer. Google may only remove a Covered Service from those URLs with at least 12 months prior notice.
Attachment 1 says: Any Google Workspace product or service specifically identified at THIS LINK as being covered by the Google BAA (collectively “Google Workspace Covered Services”).
If you didn’t click the link, that’s okay we’ve got you. Below is the list, as of September 30, 2025 which is the last time they updated it, of apps that are included:
AppSheet, Apps Script, Cloud Identity Management, Gemini app (excluding Gemini in Chrome), Gemini in Workspace, Gmail, Google Calendar, Google Chat, Google Cloud Search, Google Drive (including Google Docs, Google Forms, Google Sheets, Google Slides, and Google Vids), Google Groups, Google Keep, Google Meet, Google Sites, Google Tasks, Google Vault (if applicable) and Google Voice (managed users only).
That means that (and I’m saying this very loud): NO NEW APPS THAT HAVE LAUNCHED AFTER SEPTEMBER 30, 2025 ARE COVERED UNDER YOUR BAA!
What does that even meeaannnn
Glad you asked. We know that a lot of people use Google Workspace for its core functionality: email, calendar, storage, meetings. The problem with this? Google Workspace will typically roll things out automatically and without your knowledge (or it’s in a very jargon-y email that you look at for 2 seconds and then delete).
Also, there’s a lot of nuance when it comes to what’s covered. Look at the Gemini stuff for example. The Gemini app (their version of ChatGPT/Claude) is technically covered, but you can’t use Gemini within Chrome because that’s not covered, but you can use Gemini in Workspace…. what? Yeah, it’s confusing, even to us.
Have I lost you yet? Have no fear, we’re bringing it back around to actionable steps that will keep your practice safe!
So, now what?
There are FIVE things we want you to do (and frankly, you NEED to do) now and it will only take about 10 minutes.
#1: Check to make sure your BAA is signed.
Here’s that link again. If it’s not, review it (or get your lawyer to) and sign ASAP. The BAA is ONLY applicable from the date you sign it, so any PHI used on Google Workspace prior to that is not covered.
#2: Turn off Early Access Apps.
Is it cool to be one of the first people to access something? Totally. But let’s leave that to the new restaurant down the street or the latest iPhone. You do not need to be accessing apps that aren’t covered by your BAA. It LITERALLY says “These Additional Services are not covered under your Google Workspace agreement, Data Processing Agreement, or HIPAA Business Associate Addendum.” Easy decision. Just do it.
Click this link, uncheck the box and click “Save”.
#3: Change your Release preferences.
Your Workspace account is typically set up to get all the best things as soon as possible. Again, great for other areas of your life, not great for PHI. These settings will automatically turn on new apps in your Workspace and it practically takes a PhD in software engineering to figure out how to turn them off once they’re on.
Click this link to go to your Release preferences.
Hover over New features, click the little pencil to edit, change to “Scheduled release”, and click Save. This will give you the opportunity to learn about the app PRIOR to it being implemented.
Next, hover over New Products, click the little pencil to edit, change to “Turned off when released”, and click Save. This should ensure that new products will NOT be automatically turned on without your consent. (I say should intentionally because software companies always do a hard push at some point - so fun!)
While you’re here, you might as well look at the Notification settings too and turn off any annoying emails that you don’t want to get. Another helpful way to clean up that inbox!
#4: Check out your Gemini settings
Is Gemini for Workspace covered under your BAA? Yes.
Do we know that a lot of therapists want nothing to do with AI? Also, yes.
If you don’t want Gemini turned on at all in your workspace, keep reading. If you are all for (safely) using AI, you can skip to the next one.
Gemini for Workspace: ← Click that link and turn everything off under the “Workspace Intelligence Sources” and “Alpha Gemini features” sections. In the “Conversation history & deletion” section, keep Manual deletion ON and change Auto-deletion to every 90 days. (That part shouldn’t matter since the app is technically off, but I always make sure settings are set with multiple failsafes.)
Gemini App: ← Click that link and turn “Service status” to OFF. Then go under “User access”, uncheck the box and click “Save”. Then go under “Apps” and turn all those off, and so on and so forth with the last two sections. (Remember: failsafes.)
If you have an Enterprise plan within Google Workspace (if you’re not sure, you most likely don’t), you’ll want to turn these settings off too.
#5: Update your Chrome Settings
If you’re a Chrome user, this next section is for you:
There are a whole bunch of places to turn off Gemini within Chrome (and remember, this is the one version of Gemini that is NOT covered under your BAA). Here we go:
#1: AI Innovations: Go into each section and turn everything off.
#2: Site Search: Find Gemini under the “Site search” section, click the three vertical dots and deactivate it.
#3: Experiments: Use CTRL+F (windows) or CMND+F (mac) to open your seach bar. Type in “AI mode” and click enter. Everywhere you see this? You guessed it, turn it off. It should be 4 different places.
Still with me? GREAT! Below is even MORE fun tech information for you!
More ways to protect your practice
There are several other best practices that we recommend to keep your Google Workspace and your practice safe. We’re dropping them here for you to implement when you have some more time. The sooner the better! (These are not in order of importance, it’s the order they’re in on the Security settings page in your Admin app.) These policy changes WILL directly affect your team so make sure you’re communicating them ahead of time.
#1: Enforce specific password specifications - we know this can be a pain in the ass but it’s worth it.
Boss Co recommendation: at least 12 characters, enforce the policy at next sign-in, don’t allow password reuse, and choose a password expiration frequency that works for your team (probably no more than every 6 months). → Do it here.
#2: Disable access to less secure apps - You can put all the fancy locks on the front door, but if you leave the back door unlocked, they’re pointless. → Do it here.
#3: Turn on 2-Step Authentication - protect yourself and your team from getting hacked. Period.
Boss Co recommendation: check “allow users to turn on 2-Step verification, enforcement “on”, allow for new user enrollment period (whatever makes sense in your onboarding process), allow user to trust device is typically fine, unless you want your entire team to use a specific type of 2FA, any type is fine. Choose what works best for you!→ Do it here.
#4: Do not use your Google Workspace as a single sign-on (SSO) for other apps. → Fix it here.
You know how when you sign on to basically any website and you have the option to sign in with your username and password or “use Google to sign in”? Yeah, don’t do that. Allowing those apps utilize Google as the SSO is technically safe but it’s an easy way for hackers to backdoor into your Workspace. Take a peek into your Google account settings to see how many apps you’re using that third party access for. (Heads up: if you are connecting something like an EHR to Google to connect your calendars, that’s totally fine - keep it!) Anything else where you just really don’t want to deal with a password, guess what? You need to set that password up. Don’t feel like you have to tackle it all at once - this one can be daunting. Just take them one at a time. (When we switched to not using Google as SSO, I had 34 apps connected. Yikes. 😬) All you need to do is go to each site, turn off Google SSO and set up that password. Then, go back to that link above and “Delete all connections to this app”.
If you’re still reading, thank you for sticking with me and investing time in yourself and your practice! Way to go - this was not a “fun” read, unless you’re a mega-nerd like me. I do want to be clear: this is not a fully exhaustive list. There’s always more out there that you can do to be more secure, but this gives you a REALLY good foundation plus some to make sure that your PHI is locked in on your Google Workspace.
