Is Google Forms HIPAA Compliant?

Google Forms HIPAA Compliant

Google Forms is HIPAA compliant and can be used to collect, export, and share protected health information provided the service is used as part of a Workspace plan that supports HIPAA compliance, the service settings are configured to comply with the Security Rule, and the workforce is trained on its compliant use. It will also be necessary to agree to Google’s Business Associate Addendum before the service is used to collect PHI.

Google Forms is a survey administration tool that can be used to conduct opinion polls, manage event registrations, and collect information through internal or public-facing websites. When used in ways that do not involve uses and disclosures of data covered by the HIPAA Privacy Rule, the solution could be used by healthcare organizations without HIPAA compliance being a consideration.

However, if Google Forms is used to collect, store, or share protected health information – or if protected health information is exported to another service for analysis – the HIPAA Administrative Simplification Regulations apply. Additionally, Google would be considered a business associate of the healthcare organization.

Is Google Forms HIPAA Compliant?

Before any software application can be used in connection with protected health information, healthcare organizations must ensure safeguards are in place to ensure the confidentiality, integrity, and availability of any protected health information that is created, received, stored, maintained, or transmitted by that software.

Therefore, the first step in ensuring Google Forms is HIPAA compliant is to subscribe to a Workspace plan that includes sufficient safeguards to comply with the HIPAA Rules (not all Workspace plans have sufficient safeguards). Thereafter, the safeguards must be configured to comply with the requirements of the Security Rule.

Google provides a HIPAA Implementation Guide to help healthcare organizations configure its “Core Services” in compliance with HIPAA. However, system administrators are also required to configure third party services Google Forms may be integrated with. For example, it is possible to integrate services included in Google Drive into Microsoft Teams).


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Google’s Business Associate Agreement

Whenever using protected health information on a cloud-based service, satisfactory assurances must be obtained from the service provider that the service is compliant with HIPAA Rules. The service provider must provide the assurances by signing a HIPAA-compliant business associate agreement with the HIPAA-covered entity.

Google will enter into business associate agreements with HIPAA-covered entities, but will not sign covered entities’ own Agreements. Instead, Google has produced a one-size-fits-all Business Associate Addendum which compliance officers are advised to review before signing in order to understand the applicability of the agreement and also their compliance responsibilities.

Since Google Forms is part of Google Drive; and provided a healthcare organization signs Google’s Business Associate Addendum – which covers Google Drive and includes Google Forms – the service can be used to collect, store, and share protected health information without violating HIPAA Rules. We therefore consider Google Forms HIPAA compliant in these circumstances.

Workforce Training is Also Necessary

It is not actually possible for any software solution to be HIPAA compliant, as compliance is determined by how people use the software solutions. It is possible to violate HIPAA Rules with Google Forms, even if the service has been configured correctly and a Business Associate Addendum has been signed.

Therefore, it is important that members of the workforce with access to Google Forms are trained in how to use the service compliantly. Topics to include in workforce HIPAA training include creating forms with appropriate permissions and visibility, and avoiding using protected health information in the title of Forms or any files data will be exported to.

If any healthcare organizations experience difficulties in selecting an appropriate Workspace plan, configuring the services correctly, understanding Google’s Business Associate Addendum, or training members of the workforce on the compliant use of Google Forms, it is advisable to seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: