HIPAA-Compliant Google Forms: What You Need to Know About BAA and Google Workspace

Can you use Google Forms in your healthcare practice? Learn about Business Associate Agreements, Google Workspace, and how to collect patient information securely.

If you’re a healthcare practitioner, you’ve probably wondered: Can I use Google Forms to collect patient information?

It’s a great question—and one that doesn’t have a simple yes or no answer. The short version: regular Google Forms aren’t HIPAA compliant, but Google Workspace can be, with the right setup.

Let’s break down what you need to know.

First, What Is HIPAA Compliance?

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that protects sensitive patient health information. If you handle Protected Health Information (PHI)—which includes names, contact details, medical history, appointment information, and more—you must follow HIPAA rules.

This isn’t just for hospitals. It applies to therapists, chiropractors, acupuncturists, naturopaths, and any practitioner who handles patient data.

The penalties for HIPAA violations can be significant, ranging from fines to more serious consequences. But more importantly, protecting your clients’ information is simply the right thing to do.

What Is a Business Associate Agreement (BAA)?

Under HIPAA, any third-party service that handles your patient data is called a “Business Associate.” This includes email providers, form services, scheduling software—anything that touches PHI.

A Business Associate Agreement (BAA) is a legal contract that:

  • Confirms the vendor understands they’re handling PHI
  • Outlines how they’ll protect that information
  • Defines what happens if there’s a breach

Here’s the key point: You need a BAA with every vendor that touches patient data. No BAA means you’re at risk—even if you think the service is secure.

Is Regular Google Forms HIPAA Compliant?

No. Standard free Google accounts (the @gmail.com kind) are not HIPAA compliant, and Google won’t sign a BAA for them.

This means you should not use regular Google Forms to collect:

  • Patient intake forms
  • Health history questionnaires
  • Appointment requests with health details
  • Any information that could identify a patient along with their health information

Using free Google Forms for PHI puts you at risk of a HIPAA violation.

What About Google Workspace?

This is where it gets better. Google Workspace (formerly G Suite) is Google’s paid business platform, and it can be HIPAA compliant—but only if you set it up correctly.

Here’s what you need to do:

1. Get the Right Google Workspace Plan

You need Google Workspace Business Starter, Business Standard, Business Plus, or Enterprise. The free tier doesn’t qualify.

Pricing starts at around $6/user/month, which is quite reasonable for the security you get.

2. Sign a BAA with Google

Google provides a BAA for Workspace customers, but it’s not automatic. You need to:

  1. Log into your Google Workspace Admin console
  2. Navigate to Account > Account settings
  3. Find the Legal and compliance section
  4. Review and accept the BAA

Important: You must accept the BAA before you start using Google services for PHI. The BAA doesn’t apply retroactively.

3. Configure Your Settings Properly

Signing the BAA isn’t enough on its own. You also need to:

  • Enable 2-Factor Authentication for all users
  • Review sharing settings to prevent accidental exposure
  • Train your team on proper data handling
  • Disable or restrict services not covered by the BAA

The BAA only covers specific Google services. Make sure you’re using covered services and configure them securely.

Which Google Services Are Covered?

Google’s BAA covers what they call “Core Services,” including:

  • Gmail
  • Google Calendar
  • Google Drive
  • Google Docs, Sheets, Slides
  • Google Forms
  • Google Meet
  • Google Chat

Not covered: YouTube, Google Maps, and various other consumer Google products.

So Can I Use Google Forms for Patient Intake?

Yes, if:

  • You have a Google Workspace paid account
  • You’ve signed the BAA with Google
  • You’ve configured your account securely
  • You only collect data through your Workspace account (not personal Gmail)

No, if:

  • You’re using a free Gmail account
  • You haven’t signed the BAA
  • You’re sharing forms or data insecurely

Practical Tips for Using Google Forms Securely

If you do use Google Workspace forms for patient information:

  1. Keep forms internal. Don’t share editing access broadly.
  2. Review responses carefully. Store them securely within your Workspace.
  3. Consider what you really need. Sometimes less information is better.
  4. Don’t email PHI unencrypted. Even with Workspace, be cautious about what you send via email.
  5. Train anyone with access. Make sure your team understands the rules.

Alternatives Worth Considering

Google Workspace is a solid option, but it’s not the only one. Purpose-built healthcare form solutions include:

  • JotForm (with their HIPAA plan and BAA)
  • Formstack (with HIPAA compliance add-on)
  • IntakeQ (designed specifically for healthcare)

These tools are built with healthcare in mind and often include additional features like electronic signatures and secure messaging.

The Bottom Line

Using Google Forms in your healthcare practice is possible—but only with Google Workspace and a properly configured BAA. If you’re currently using free Google Forms for patient information, it’s time to make a change.

This might feel overwhelming, especially if technology isn’t your strong suit. But protecting your clients’ information isn’t optional—it’s essential.

At Elevas Digital, we build websites for wellness practitioners with security in mind. All our websites include secure, HIPAA-compliant contact forms, so you can focus on healing instead of worrying about compliance. Let’s talk about your practice.