Google Workspace & Microsoft 365 HIPAA Setup: The Practical Checklist

Your practice almost certainly runs on Google Workspace or Microsoft 365 already — email, calendar, documents, video calls. Good news: both platforms support HIPAA-appropriate use, and you probably don’t need to migrate anywhere. What you need is a correct setup, and most of it is a one-time checklist. This guide walks through that checklist for both platforms, sized for an independent practice rather than a hospital system.

Step one: sign the Business Associate Agreement

The BAA is the foundation — the agreement that makes your platform vendor accountable for handling protected health information (PHI) properly. Both Google and Microsoft offer one at no extra charge on paid business plans, and neither requires a lawyer to accept. Free consumer accounts (personal Gmail, personal Outlook.com) do not qualify and should never carry patient information.

Google Workspace

  1. Make sure you’re on a paid Google Workspace plan (any business tier) with your own domain — not free Gmail.
  2. Sign in to the Admin console as a super administrator.
  3. Go to Account settings, then the Legal and compliance section.
  4. Find the HIPAA Business Associate Amendment, answer the short confirmation questions, and accept. The BAA takes effect immediately.
  5. Save a copy of the accepted agreement with your practice’s compliance records.

Microsoft 365

  1. Use a commercial Microsoft 365 business plan — consumer and family plans don’t qualify.
  2. Microsoft’s BAA terms are built into its standard Data Protection Addendum for commercial online services, so for most business subscriptions the agreement applies automatically — there’s usually nothing separate to sign.
  3. Download the current Data Protection Addendum from Microsoft’s licensing site and file it with your compliance records, so you can show the coverage in writing.
  4. If you bought through a reseller, confirm with them that your subscription is a commercial plan covered by the DPA.

Step two: know which services are covered

The BAA covers specific services, not everything with the company’s logo on it. The practical rule for a small practice: keep PHI in the core covered services, and treat everything else as if it were public.

PlatformTypically covered (core services)Typically not covered
Google WorkspaceGmail, Calendar, Drive (including Docs, Sheets, Slides, Forms), Meet, Chat, Keep, Sites, Tasks, VaultConsumer services and most “Additional Services” — e.g. YouTube, Google Photos, and anything used with a personal account
Microsoft 365Exchange Online (email/calendar), OneDrive, SharePoint, Teams, Office apps connected to those servicesConsumer services, personal accounts, and some peripheral apps outside the core online services

Both vendors publish their current covered-services lists, and the lists evolve — check them when you adopt a new tool, and file the current list with your records. The discipline that matters day to day is simple: patient information lives in covered email, covered storage, and covered chat, and nowhere else.

Step three: access controls that actually matter

A signed BAA covers the vendor’s side. Your side is access control, and for a small practice it comes down to a short list:

  • One account per person, no sharing. Shared logins make it impossible to know who accessed what. Every staff member gets their own account — and departures mean same-day suspension.
  • Enforce two-step verification for everyone. Turn it on as an admin requirement, not a suggestion. This single setting prevents the most common way small-business accounts are compromised.
  • Limit administrator access. One or two admin accounts, used only for administration. Day-to-day work happens in regular accounts.
  • Restrict external sharing defaults. Set Drive or OneDrive/SharePoint sharing so files aren’t shareable to “anyone with the link” by default. Deliberate sharing is fine; accidental public links are the thing to prevent.
  • Review access twice a year. Fifteen minutes: who has accounts, who has admin, what third-party apps are connected. Remove what’s stale.

Step four: retention and deletion

Decide on purpose how long email and files are kept, write the decision down, and make the platform enforce it. Google Workspace does this with Vault retention rules; Microsoft 365 uses retention policies in the Purview compliance center. For a small practice, one sensible baseline policy applied to email and files beats an elaborate scheme nobody maintains. Retention interacts with your state’s medical-record requirements, so align the written policy with whatever your records-retention obligations already are — your platform should enforce the policy you’ve chosen, not substitute for choosing one.

Step five: mobile devices

Staff will read work email on their phones — plan for it rather than pretending otherwise. Both platforms include basic mobile management on business plans, and the basic tier is genuinely enough for a small practice:

  • Require a screen lock and device encryption on any device that connects to work accounts (both platforms can enforce this automatically).
  • Enable remote account wipe, so a lost phone means removing the work account from it, not a crisis.
  • Have staff use the official apps (Gmail, Outlook, Drive, Teams) rather than forwarding work mail to personal accounts — forwarding to an uncovered personal inbox quietly moves PHI outside the BAA.

What a solo practice actually needs — and the enterprise noise to skip

Vendor marketing for “HIPAA compliance tooling” is mostly aimed at organizations with a compliance department. A one-to-ten-provider practice needs the list above: BAA signed and filed, PHI kept to covered services, two-step verification enforced, per-person accounts, sane sharing defaults, one written retention policy, and mobile basics. That’s the whole core.

You can safely skip, for now: data-loss-prevention rule engines, CASB add-ons, eDiscovery workflows, insider-risk analytics, and third-party “compliance dashboard” subscriptions that mostly re-display your admin console settings. None of these are bad — they’re built for scale you don’t have yet, and every one adds cost and maintenance. Add them when a real need appears, not because a checklist generated for a hospital says so.

The done-for-you path

Everything on this page is genuinely doable yourself — that’s why we wrote it down. If you’d rather have it done, checked, and kept current, that’s a service we offer at a published price:

  • Stack Tune-Up — $750 fixed. We inventory the tools you already pay for (Workspace/Microsoft 365, EHR portal settings, forms, phones, DNS & email security), optimize the configuration for your workflows and for compliance, and give you a plain-English report of what changed and why.
  • Stack Stewardship — $150/mo. We become the administrator (and where possible, reseller) of record for your existing stack: license and renewal management, configuration kept tuned, quarterly compliance re-check. No rebuild required — we take care of what you already own.

No migration, no rebuild, no replacing tools that already work — tuning what you own is the entire point of the service. Details are on the Stack Stewardship page and the pricing page; Stewardship is included in our Growth plan and above.

Frequently asked questions

Is Google Workspace HIPAA compliant?

Google Workspace supports HIPAA-appropriate use: Google signs a BAA on paid plans, and its core services are built to operate under it. But no platform is compliant by itself — compliance comes from the combination of the signed BAA, keeping PHI within covered services, and your own access controls. A correctly configured Workspace account meets the platform side of that fully.

Is Microsoft 365 HIPAA compliant?

Same answer, same structure: Microsoft includes BAA terms in its standard Data Protection Addendum for commercial plans, covering core services like Exchange Online, OneDrive, SharePoint, and Teams. Your configuration — MFA, per-person accounts, sharing defaults, retention — completes the picture. Consumer and family plans don’t qualify.

Does signing the BAA cost anything?

No. Both Google and Microsoft include BAA coverage with paid business plans at no additional charge. If a consultant quotes you a large fee “to get your BAA signed,” the actual signing is minutes of admin-console work — the legitimate value is in the configuration around it, which is what a proper tune-up covers.

Can I email patients from Gmail or Outlook once the BAA is signed?

Within your covered business account, yes — email to and among your staff operates under the BAA. Email to patients crosses to systems you don’t control, so the standard practice is to get the patient’s acknowledgment that they’re comfortable with regular email, keep the content minimal, and use a portal or secure-message option for anything detailed. Both platforms also offer message encryption options worth enabling.

Do I need to migrate from one platform to the other?

Almost never for compliance reasons — both platforms support the same posture. Migration only makes sense for workflow or cost reasons, and usually the right move is tuning what you already own. That’s precisely what the $750 Stack Tune-Up is for, and “you probably don’t need to throw out what you have” is our honest default advice.

What does Clineo’s Stack Tune-Up actually check?

The full inventory of what you already pay for: Workspace or Microsoft 365 configuration (BAA, covered services, MFA, sharing, retention, mobile), EHR portal settings, form handling, phone setup, and DNS and email security (SPF, DKIM, DMARC). You get a plain-English report of what changed and why, for a fixed $750. Ongoing administration after that is Stack Stewardship at $150/mo.