Google Meet can be used in a HIPAA-compliant way, but only under specific conditions. It is not compliant by default. Your organization needs a paid Google Workspace plan, a signed Business Associate Agreement (BAA) with Google, and properly configured admin settings before Google Meet can legally handle protected health information (PHI).
What Makes Google Meet Eligible
Google Meet is one of several Google Workspace services covered under Google’s Business Associate Agreement, which is the legal contract HIPAA requires between a healthcare provider (or any covered entity) and a vendor that may access patient data. Without this signed agreement, using Google Meet for telehealth visits, clinical discussions, or anything involving PHI violates federal law, regardless of how secure the platform might be technically.
Google calls this agreement a “Business Associate Addendum,” and it can be accepted electronically by a Workspace administrator. However, it’s only valid if your organization already has an existing Google Workspace services agreement in place. Free personal Gmail or Google accounts do not qualify. You need a paid Workspace plan, such as Business Plus, Enterprise, or one of the editions specifically marketed to regulated industries.
Once the BAA is signed, it covers a defined list of Google products. Google maintains this list separately, and not every Workspace feature is included. Google Meet is on the list, along with core services like Gmail, Google Drive, Google Calendar, and Google Chat. But features or products outside that list, even if they live inside your Workspace environment, are not covered.
What Google Handles vs. What You Handle
Signing a BAA does not make your organization compliant on its own. HIPAA compliance follows a shared responsibility model. Google is responsible for the security of the underlying infrastructure: encrypting data in transit and at rest, maintaining physical security of data centers, and providing the security controls built into Workspace. These inherited controls, like default encryption, can serve as evidence of your security posture during audits.
Your organization remains responsible for everything else. That includes controlling who has access to Google Meet and other Workspace services, configuring settings appropriately, training staff on proper use, and managing what data gets stored and where. Even in a SaaS product like Google Workspace, where Google owns the bulk of the technical security responsibilities, you are still accountable for your access policies and the data you choose to put into the application.
In practical terms, this means your IT team or administrator needs to actively configure Workspace settings to protect PHI. Leaving default settings untouched and assuming Google will handle everything is a common and costly mistake.
Configuration Steps That Matter
Several admin-level settings directly affect whether your Google Meet usage stays within HIPAA guidelines. These are the areas that require attention:
- Meeting recordings: Some organizations disable Google Meet recording entirely for accounts that handle PHI. Recordings create stored copies of patient conversations, which become PHI that must be secured, access-controlled, and eventually disposed of. The University of Minnesota, for example, disables recording for its HIPAA-covered accounts.
- Access controls: Limit who can join meetings, require authentication for participants, and restrict the ability to share meeting links broadly. Anonymous join should be disabled for any meeting involving patient information.
- Chat within meetings: Messages sent during a Google Meet session can be saved. If those messages contain PHI, they need the same protections as any other patient record.
- Data retention policies: Configure how long recordings, chat logs, and other meeting artifacts are retained, and ensure deletion schedules align with your organization’s HIPAA policies.
Third-Party Apps and Add-Ons
This is where many organizations run into trouble. Google’s BAA covers Google’s own services. It does not extend to third-party plugins, extensions, or integrations you connect to Google Meet or the broader Workspace environment. If you install a transcription add-on, a scheduling tool, or any other third-party app that touches meeting data, that vendor needs its own BAA with your organization.
Organizations handling PHI often restrict or outright block third-party app access for their HIPAA-covered accounts. Automated data transfer tools are a particular risk, since they can move PHI outside your controlled environment without clear audit trails. The same applies to accessing Workspace services through unauthorized email clients or apps. Even widely used tools like Apple Mail, Outlook, and Thunderbird may be blocked for accounts that handle sensitive health data, because they fall outside the BAA’s scope.
Before connecting any external tool to your Workspace environment, verify that it has its own HIPAA compliance documentation and that you have a signed BAA with that vendor.
How Google Meet Compares to Other Telehealth Options
Google Meet is one of several video platforms that can operate under a BAA. Microsoft Teams (with certain Microsoft 365 plans) and Zoom (with its healthcare-specific plan) offer similar arrangements. The core requirements are the same across all of them: a signed BAA, proper configuration, and organizational policies that govern how staff use the platform.
Google Meet’s advantage is convenience for organizations already using Google Workspace. It integrates directly with Google Calendar, so scheduling a HIPAA-compliant video call is straightforward once the environment is properly set up. The browser-based access model also reduces the risk of PHI being cached on local devices through third-party apps, since participants can join directly from a web browser without installing additional software.
The key limitation is that Google Meet is a general-purpose video tool, not a purpose-built telehealth platform. It lacks features like integrated patient intake forms, waiting room workflows designed for clinical use, or built-in documentation tools that dedicated telehealth platforms offer. For organizations that need those features, Google Meet may serve as the video layer while other HIPAA-compliant tools handle the clinical workflow around it.
The Bottom Line on Compliance
Google Meet is HIPAA-eligible, not HIPAA-compliant out of the box. The distinction matters. Google provides the infrastructure and the legal agreement. Your organization provides the configuration, the policies, the training, and the ongoing oversight. Both sides have to fulfill their responsibilities for the result to be compliant. Signing the BAA is step one, not the finish line.