Google will sign a BAA, but the BAA alone doesn't make you compliant. Get a 50-point audit of BAA coverage, ePHI protections, and every Google Workspace setting the HIPAA Security Rule actually asks for.
We've audited dozens of healthcare Google Workspace environments. These are the assumptions we encounter most — and the reality behind each.
The BAA covers Google's obligations, not yours. Sharing settings, admin permissions, and whether staff can forward patient emails to personal accounts are all on you. The BAA is the starting line, not the finish.
Google manages the infrastructure. You manage the configuration. Sharing settings, admin permissions, audit logs, email forwarding, and third-party app access are your responsibility under HIPAA. Google provides the tools — you have to configure them.
The Office for Civil Rights (OCR) enforces HIPAA against practices of all sizes. Solo practitioners and small group practices appear in HHS enforcement actions regularly. If you handle patient records in Google Workspace, you're in scope.
Encryption is one of many HIPAA technical safeguards. Are audit logs capturing ePHI access? Do DLP rules block patient data from leaving your domain? Can users share records externally? We regularly find organizations with encryption on and everything else wide open.
Four areas. Fifty-plus individual checks against the HIPAA Security Rule's technical safeguards. Every finding documented with the exact path to the setting and how to fix it.
Create a temporary admin account for us in Google Admin Console. Takes about five minutes. We only see settings — never patient records, never ePHI.
Our team runs all 50+ checkpoints, documents current configurations, and flags everything that doesn't meet the HIPAA Security Rule. No guesswork — direct evidence from your environment.
A prioritized report with screenshots and step-by-step fixes. Urgent items first, then Easy, Moderate, and High-Impact. Hand it to your IT team or ask us to implement the fixes for you.
No retainer. No upsell. Pay once, receive a complete 50+ point audit against the HIPAA Security Rule with everything you need to close the gaps.
Anything else? Call us at (888) 646-1616 and we'll walk through it.
No. We use Google's Global Reader role, which grants access to settings only. We cannot read emails, view documents, or access any patient records or ePHI. This is the first question every healthcare client asks — the answer is always the same: your data stays private.
Typically 2-4 weeks from when you grant access. The timeline depends on how quickly you set up our admin account and schedule the findings review. Most clients have their HIPAA compliance report within two weeks.
Most healthcare organizations we audit aren't fully compliant when we start. Our report tells you exactly what needs to change, prioritized by risk level, with screenshots and step-by-step instructions. If you don't have IT staff to implement the fixes, we offer implementation services and ongoing HIPAA compliance management.
Google will sign a BAA for Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, and Education Plus editions. The BAA covers Gmail, Google Drive, Google Calendar, Google Meet, and Google Chat. If you're on Business Starter or Business Standard, you'll need to upgrade before you can achieve HIPAA compliance with Google Workspace. Our audit verifies your edition and BAA coverage.
The audit focuses on HIPAA technical safeguard requirements for Google Workspace. The findings also align with security controls relevant to SOC 2, and we note those overlaps in the report. For a full SOC 2 readiness assessment, we can scope that separately.
Yes. As part of the audit, we verify whether a Business Associate Agreement (BAA) has been executed with Google, confirm your edition supports BAA coverage, and check that covered services are configured correctly. Many organizations assume a BAA is in place when it hasn't actually been signed. Our audit catches this.
A 50-point audit of your Google Workspace, delivered in two weeks. $999, no retainer, no surprise pricing.