Is Google Chat HIPAA Compliant? BAA & Key Limits

Google Chat can be HIPAA compliant, but only when used through a paid Google Workspace account with a signed Business Associate Agreement (BAA). If you’re using a free personal Gmail account, Google Chat is not covered and should never be used to send or receive protected health information (PHI).

Google Chat Is Covered Under the BAA

Google explicitly lists Google Chat as “Included Functionality” under its HIPAA Business Associate Addendum. As of 2025, the covered services include Gmail, Google Chat, Google Meet, Google Drive (including Docs, Sheets, Slides, and Forms), Google Calendar, Google Keep, Google Voice (managed users only), and several others. This means Google contractually agrees to handle data in these services according to HIPAA requirements, including encryption, access controls, and breach notification obligations.

The critical prerequisite: your organization’s IT administrator must review and accept the BAA through the Google Workspace Admin console before anyone uses these services with PHI. Without that signed agreement, using Google Chat with patient data violates HIPAA regardless of what security features are enabled.

Free Gmail Accounts Are Not Eligible

Google does not offer a BAA for consumer accounts. If your team is using personal @gmail.com addresses to message through Google Chat, that setup cannot be made HIPAA compliant. There is no workaround, no setting to toggle, and no way to request a BAA for free accounts. You need a paid Google Workspace subscription, which starts with the Business tier and scales up through Enterprise plans. The BAA option becomes available once you’re on an eligible paid plan.

Signing the BAA Is Only the First Step

A common misconception is that signing Google’s BAA automatically makes everything compliant. It doesn’t. Google’s HIPAA implementation guide makes the division of responsibility clear: Google secures the infrastructure, encrypts data in transit and at rest, and maintains its own compliance certifications. Your organization is responsible for how the tools are actually configured and used.

That means your IT administrator needs to:

  • Restrict services that aren’t covered. Any Google Workspace service not on the HIPAA Included Functionality list should be turned off for users who handle PHI. Google Photos, YouTube, and Google Play, for example, are not covered.
  • Control external sharing. If staff can freely chat with outside contacts, PHI could leave your organization’s protected environment. Admins should configure who users can communicate with externally.
  • Separate user groups. Google recommends creating organizational units so users who handle PHI and those who don’t are in separate groups, each with appropriate service access.
  • Manage third-party integrations. Any apps, add-ons, or bots connected to Google Chat are your responsibility. If a third-party tool processes PHI, you need a separate BAA with that vendor. Google’s agreement doesn’t extend to outside applications.

Audit Trails and Record Retention

HIPAA requires organizations to maintain records of who accessed PHI and when. Google Vault, which is also on the HIPAA-covered services list, provides audit and retention capabilities for Google Chat messages. Administrators can set retention policies that determine how long chat messages are preserved, search across messages for compliance investigations, and export records when needed.

Vault logs track actions like who ran a search, who exported data, who modified retention rules, and when each action occurred. These logs can be downloaded as CSV files for your compliance records. Each entry includes the user who performed the action, a timestamp, the type of event, and relevant details like search parameters or affected users.

What Google Won’t Cover

Two areas catch organizations off guard. First, Google’s technical support is explicitly excluded from HIPAA coverage. If you contact Google support about an issue, do not include any PHI in your support tickets, screenshots, or conversations with support staff.

Second, your organization remains responsible for fulfilling patients’ rights under HIPAA, including their right to access their data, request amendments, and receive an accounting of disclosures. Google provides the platform, but managing those obligations falls entirely on you.

Is Google Chat a Good Choice for Healthcare?

For organizations already using Google Workspace, Chat is a practical option for internal team communication involving PHI. It’s covered under the same BAA as Gmail and Drive, so you’re not adding another vendor relationship. The integration with other Workspace tools means files shared in Chat conversations inherit the same compliance protections.

Where it falls short compared to dedicated healthcare messaging platforms is in features designed specifically for clinical workflows, like care team coordination, EHR integration, or role-based message routing. Google Chat is a general-purpose messaging tool that can be made compliant, not a purpose-built clinical communication system. For basic team messaging, it works. For complex clinical communication needs, you may want a platform designed for that use case, with Google Chat’s BAA coverage as a baseline rather than a ceiling.