Are Google Applications HIPAA Compliant?

Is Google Meet (and the rest of Google Workspace) HIPAA compliant at Behavioral Framework?

Yes. Behavioral Framework uses paid Google Workspace accounts, and our IT team has completed the steps required to make Google Meet, Google Chat, Gmail, and other Google tools HIPAA compliant for our organization. Here's what that means and what you need to know.

What IT Has Done to Keep Us Compliant

HIPAA compliance with Google is not automatic — it requires three things: a paid enterprise account, a signed legal agreement with Google, and specific security settings enforced by the IT administrator. All three are in place at Behavioral Framework.

1. We use paid Google Workspace accounts. Free personal Google accounts (like a personal @gmail.com) have no HIPAA compliance protections. Corporate and management staff use Google Workspace Enterprise Plus under the behavioralframework.com domain. Field staff — including RBTs and BTs — are provisioned on Google Workspace Frontline Starter, which is Google's product specifically designed for deskless and field-based workers. Both plans are paid, managed Workspace accounts that qualify for HIPAA compliance.

2. We have a signed Business Associate Agreement (BAA) with Google. A Business Associate Agreement is a legal contract that requires Google to handle Protected Health Information (PHI) responsibly on our behalf. Our IT administrator signed this agreement with Google on December 12, 2019, and it covers our entire organization across Google Workspace and Cloud Identity — including both Enterprise Plus and Frontline Starter accounts.

3. IT has configured security settings to enforce compliance. A signed BAA means Google provides a secure, compliant infrastructure — but the organization is responsible for how tools are used day to day. IT has configured settings including restricted meeting access, calendar privacy controls, Drive sharing permissions, and file access protections.

Which Google Tools Are HIPAA Covered?

Under our BAA with Google, the following tools may be used in connection with PHI:

  • Google Meet — Video and voice meetings
  • Gmail — Email
  • Google Chat — Team messaging
  • Google Drive, Docs, Sheets, Slides, and Forms — File storage and collaboration
  • Google Calendar — Scheduling
  • Google Keep — Notes
  • Google Tasks — Task management

These are all part of what Google calls "HIPAA Included Functionality" — meaning they are covered as long as the settings described above are properly configured, which IT has done.

What You Need to Know as a Staff Member

While IT has set up the guardrails, each of us plays a role in keeping things compliant. Here are the most important things to keep in mind:

In Google Meet:

  • Use your Behavioral Framework Google account (not a personal account) when hosting or joining work-related meetings.
  • Do not share meeting links publicly or allow anonymous participants to join sessions involving client information.
  • Do not use a client's full name in a meeting title or calendar invite. Use initials, an ID number, or a general description instead (e.g., "Tuesday Supervision" rather than a client's name).
  • If a meeting is recorded, the recording is automatically saved to Google Drive. Treat those recordings with the same care as any other client record.

In Gmail and Google Chat:

  • Be thoughtful about including client information in emails and chat messages. When you need to reference a client, use the minimum information necessary — avoid full names, dates of birth, diagnosis details, or other identifying information wherever possible.
  • Do not include PHI in the subject line of an email or in the name of a Chat space.

In Google Drive, Docs, and Sheets:

  • Do not include client names or identifying information in the titles of files or folders.
  • Do not change sharing settings on files to "Anyone with the link." Keep files shared only with the specific people who need access.

Third-Party Apps and Add-Ons:

  • Third-party apps, browser extensions, and add-ons that connect to Google tools are not covered under Google's BAA with us. If you are using or considering any third-party tool that connects to your Google account, check with IT before using it in connection with any client-related work.

What Is NOT Covered

Your personal Google account — even if you use it to access a Google Meet session — is not covered under the Behavioral Framework BAA. Our BAA applies only to accounts under the behavioralframework.com domain.

Google Contacts is specifically excluded from HIPAA coverage by Google and should not be used to store client information.

Still Have Questions?

If you are unsure whether a specific use of Google tools is compliant, or if you have questions about how to handle client information on any platform, please submit a request to the IT Help Desk. We are happy to help.

This article is provided by the Behavioral Framework IT team. The Google Workspace HIPAA Business Associate Agreement has been on file since December 12, 2019. For IT support, contact the Help Desk.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us