Google Sheets is not HIPAA compliant on its own, but it can be used with protected health information (PHI) if your organization has a paid Google Workspace account and signs a Business Associate Agreement (BAA) with Google. A free personal Gmail or Google account does not qualify. Without the BAA in place, storing any patient data in Google Sheets is a HIPAA violation, regardless of how carefully you configure it.
The BAA Is the Non-Negotiable First Step
HIPAA requires that any cloud service handling PHI on your behalf sign a Business Associate Agreement. Google calls theirs a Business Associate Amendment, and it’s available to Google Workspace and Cloud Identity customers. Your account administrator must review and accept the BAA through the admin console before anyone in the organization uses Google services with PHI. Until that agreement is active, Google has no legal obligation to protect health information under HIPAA, and your organization bears full liability for any breach.
Google only covers specific services under the BAA. It publishes a “HIPAA Included Functionality” list that names the exact products eligible. Google Sheets (as part of Google Drive) is on that list, along with Gmail, Google Docs, Google Calendar, and several other core Workspace apps. Services not on the list should not be used with PHI, even if they’re part of the same Workspace account.
Free Google Accounts Don’t Qualify
If you’re using a personal @gmail.com account or the free version of Google Sheets, you cannot sign a BAA with Google. This is one of the most common compliance mistakes small practices make. The BAA is only available through paid Google Workspace plans. Google does not publicly restrict the BAA to specific pricing tiers within Workspace, but you do need an active Workspace subscription with admin console access to review and accept the agreement.
Signing the BAA Alone Isn’t Enough
A signed BAA makes Google your business associate, but HIPAA compliance is a shared responsibility. Google handles infrastructure-level protections: encrypting data both in transit and at rest, maintaining physical security at data centers, and logging system-level activity. Everything else falls on you. That means your organization needs to configure Workspace settings, train staff, and enforce policies that prevent unauthorized access to PHI.
Google publishes a HIPAA Implementation Guide specifically for Workspace customers. It walks administrators through the settings and practices needed to keep PHI secure across Google services, including Sheets.
Sharing Settings Are Where Most Mistakes Happen
Google Sheets makes it dangerously easy to share a file with “anyone with the link.” For a spreadsheet containing patient names, appointment dates, or billing codes, that single setting could constitute a reportable breach. Google’s own guidance emphasizes sharing with specific recipients rather than using open links, and following your organization’s internal policies for handling PHI.
Administrators should configure domain-wide sharing defaults in the Google Workspace admin console to prevent users from accidentally making files public or accessible outside the organization. Key steps include:
- Restricting external sharing. Turn off the ability to share Drive files with people outside your domain, or limit it to approved external domains only.
- Disabling link sharing defaults. Set the default sharing permission so that new files are restricted to specific people, not anyone with the link.
- Limiting who can move or copy files. Prevent users from downloading, printing, or copying files that contain PHI to reduce the risk of data leaving controlled environments.
These settings apply across Google Drive, which means they cover Sheets, Docs, and Slides simultaneously. But they only work if an administrator actively configures them. The out-of-the-box defaults in Workspace are not HIPAA-ready.
Access Controls and Authentication
HIPAA’s Security Rule requires that only authorized individuals can access PHI. In practical terms, this means your Google Workspace setup needs strong identity controls. Two-step verification (Google’s term for two-factor authentication) should be enforced for every user in the organization, not just recommended. Administrators can mandate this through the admin console so that no one can log in with a password alone.
Beyond login security, you should apply the principle of least privilege to every spreadsheet containing PHI. Only the people who need access to do their jobs should have it. Google Sheets lets you set view-only, comment-only, or edit permissions on a per-user basis. Use these granularly rather than sharing with entire groups or departments by default.
Audit Logs and Monitoring
HIPAA requires covered entities to track who accesses PHI and what they do with it. Google Workspace provides audit logs through the admin console that record activity across Drive, including Sheets. These logs capture events like file creation, viewing, editing, sharing changes, downloads, and permission modifications. Administrators can review these logs to investigate suspicious activity or respond to a compliance audit.
For organizations that need more granular monitoring, Google Workspace’s higher-tier plans offer additional tools like data loss prevention (DLP) rules that can scan files for patterns resembling PHI (such as Social Security numbers or medical record numbers) and automatically restrict sharing or flag the file for review.
Third-Party Add-Ons Are a Blind Spot
Google Sheets supports Marketplace add-ons and custom Apps Script automations that can read, write, and export spreadsheet data. These third-party tools operate outside Google’s BAA. If an add-on pulls PHI from a spreadsheet and sends it to an external server, your organization is responsible for that data transfer, and the add-on developer is not covered by your agreement with Google.
The safest approach is to block third-party add-on installation entirely for users who work with PHI, or to restrict Marketplace installations to a pre-approved list that your compliance team has vetted. Administrators can control this in the Workspace admin console under the Apps section. Any add-on that touches PHI would need its own BAA with your organization to remain compliant.
Is Google Sheets a Good Choice for PHI?
Google Sheets can technically be used in a HIPAA-compliant workflow, but “can” and “should” are different questions. Spreadsheets lack the structured access controls, field-level permissions, and built-in audit trails that purpose-built healthcare software provides. A single user dragging a column of patient names into the wrong sheet, or accidentally changing sharing permissions, can create a compliance gap that’s hard to detect.
For small organizations with limited PHI and tight budgets, a properly configured Google Workspace account with a signed BAA, locked-down sharing settings, enforced two-step verification, and staff training can meet the legal bar. For anything involving large volumes of patient data or complex workflows, a dedicated electronic health record system or HIPAA-compliant database is a more practical and safer choice. The flexibility that makes Google Sheets useful for everyday work is exactly what makes it risky when the data has legal protections attached to it.