Vendor compliance profile
Are Google Forms HIPAA compliant?
Google Forms may support a HIPAA-regulated collection workflow only inside an eligible, managed Google Workspace environment after the applicable Google BAA is accepted. Forms is listed within Google's HIPAA Included Functionality, but responses, Drive storage, uploads, notifications, sharing, scripts, add-ons, exports, and downstream systems still require configuration and review.
Direct compliance answer
Google Forms HIPAA, BAA, PHI, and SOC 2 snapshot
Last checked: 2026-07-16 | Confidence: High
| Direct answer | Google Forms may support a HIPAA-regulated collection workflow only inside an eligible, managed Google Workspace environment after the applicable Google BAA is accepted. Forms is listed within Google's HIPAA Included Functionality, but responses, Drive storage, uploads, notifications, sharing, scripts, add-ons, exports, and downstream systems still require configuration and review. |
|---|---|
| BAA availability | Google Workspace customers must accept the applicable Google BAA and confirm that the exact managed account, services, users, storage, support path, and connected products are covered before collecting PHI through Forms. |
| Can it handle PHI? | Form answers, file uploads, linked Sheets, confirmation messages, email notifications, sharing links, URL parameters, Apps Script, add-ons, exports, and analytics can expose PHI outside the intended response store. |
| SOC 2 caveat | Google publishes Workspace compliance and audit materials. Request or review the current report scope and confirm that the Workspace services and administrative environment used by the form workflow are included. |
| What to verify | Whether the applicable Google Workspace BAA is accepted for the organization and Forms remains within current HIPAA Included Functionality. Who owns the form, response Drive files, linked Sheets, uploaded files, scripts, and exports, and which users or external guests can access them. |
HIPAA status signal
Conditional
BAA public signal
Google Workspace BAA
SOC 2 evidence signal
Google public evidence
PHI warning: Form answers, file uploads, linked Sheets, confirmation messages, email notifications, sharing links, URL parameters, Apps Script, add-ons, exports, and analytics can expose PHI outside the intended response store.
Search query answers
Are Google Forms HIPAA compliant?
Google lists Forms within Google Workspace HIPAA Included Functionality, but that does not make every form automatically compliant. Use an eligible managed Workspace account, accept the applicable BAA, minimize PHI, and review response storage, uploads, notifications, sharing, Apps Script, add-ons, exports, and connected systems.
Can a personal Google account use Forms with PHI?
Do not treat consumer or personal Google Forms as appropriate for PHI. The public HIPAA path is tied to eligible Google Workspace or Cloud Identity services and the applicable BAA, plus organization-controlled configuration and user access.
Can Google Forms collect patient information?
Potentially, but only after the organization verifies its Google BAA, managed account, included functionality, response destination, uploads, sharing, notifications, scripts, add-ons, retention, exports, and every system that receives the responses.
How do you make a Google Forms workflow HIPAA-ready?
Confirm the Google BAA and eligible account, restrict form and response access, use minimum-necessary questions, disable unnecessary notifications and add-ons, govern file uploads and linked Sheets, review Apps Script and integrations, and document retention, deletion, audit, and incident procedures.
HIPAA, BAA, and SOC 2 summary
| HIPAA | Google's HIPAA Included Functionality page, dated May 14, 2026 when reviewed, lists Google Forms within Google Drive functionality covered under the applicable Google Workspace Business Associate Addendum. |
|---|---|
| BAA | Google Workspace customers must accept the applicable Google BAA and confirm that the exact managed account, services, users, storage, support path, and connected products are covered before collecting PHI through Forms. |
| SOC 2 | Google publishes Workspace compliance and audit materials. Request or review the current report scope and confirm that the Workspace services and administrative environment used by the form workflow are included. |
| PHI risk | Form answers, file uploads, linked Sheets, confirmation messages, email notifications, sharing links, URL parameters, Apps Script, add-ons, exports, and analytics can expose PHI outside the intended response store. |
| Category | HIPAA-Compliant Forms and Intake Software |
| Last checked | 2026-07-16 |
| Confidence | High |
Public evidence and open questions
What public sources say
- Google currently lists Google Forms within its HIPAA Included Functionality for the applicable Workspace BAA.
- Google Forms responses commonly flow into Google Drive and Google Sheets, so access, sharing, exports, retention, and linked automation must be reviewed together.
- Included functionality and a BAA do not cover customer configuration, third-party add-ons, external recipients, analytics scripts, or downstream vendors automatically.
What remains unconfirmed
- Whether the buyer's exact Workspace edition, tenant, users, support arrangement, Drive location, linked Sheets, scripts, add-ons, and downstream systems are covered and configured appropriately.
- Whether notification emails, file uploads, confirmation messages, exports, URL parameters, sharing links, and support cases can expose PHI outside the governed environment.
What it may be used for
- Managed Google Workspace intake workflows after BAA acceptance, included-functionality review, access restrictions, and downstream data-flow review.
- Minimum-necessary forms where notifications, uploads, scripts, add-ons, sharing, and exports are tightly governed.
- Non-PHI contact or operational forms that intentionally avoid patient-identifying healthcare context.
What not to use it for
- Collecting PHI through a personal or unmanaged Google account.
- Sending complete form responses through ordinary notification emails or unsupported automations.
- Using third-party add-ons, analytics, scripts, webhooks, or exports with PHI before each data recipient is reviewed.
What to verify with the vendor
- Whether the applicable Google Workspace BAA is accepted for the organization and Forms remains within current HIPAA Included Functionality.
- Who owns the form, response Drive files, linked Sheets, uploaded files, scripts, and exports, and which users or external guests can access them.
- Whether notifications, confirmation messages, Apps Script, add-ons, analytics, webhooks, and connected CRMs or EHRs stay inside covered scope.
- Whether retention, deletion, audit logs, account recovery, mobile access, support, and incident response are governed for the workflow.
Safer alternatives and related profiles
Safer alternatives to consider
- A healthcare-focused intake platform with explicit BAA coverage for forms, uploads, signatures, notifications, and routing.
- Jotform only after its HIPAA-enabled account, BAA, form settings, notifications, and integrations are verified.
- Google Forms inside an eligible managed Workspace environment after BAA and full workflow review.
FAQ
Are Google Forms HIPAA compliant?
Google lists Forms within Google Workspace HIPAA Included Functionality, but that does not make every form automatically compliant. Use an eligible managed Workspace account, accept the applicable BAA, minimize PHI, and review response storage, uploads, notifications, sharing, Apps Script, add-ons, exports, and connected systems.
Can a personal Google account use Forms with PHI?
Do not treat consumer or personal Google Forms as appropriate for PHI. The public HIPAA path is tied to eligible Google Workspace or Cloud Identity services and the applicable BAA, plus organization-controlled configuration and user access.
Can Google Forms collect patient information?
Potentially, but only after the organization verifies its Google BAA, managed account, included functionality, response destination, uploads, sharing, notifications, scripts, add-ons, retention, exports, and every system that receives the responses.
How do you make a Google Forms workflow HIPAA-ready?
Confirm the Google BAA and eligible account, restrict form and response access, use minimum-necessary questions, disable unnecessary notifications and add-ons, govern file uploads and linked Sheets, review Apps Script and integrations, and document retention, deletion, audit, and incident procedures.
Is Google Forms HIPAA compliant?
Google Forms may support a HIPAA-regulated collection workflow only inside an eligible, managed Google Workspace environment after the applicable Google BAA is accepted. Forms is listed within Google's HIPAA Included Functionality, but responses, Drive storage, uploads, notifications, sharing, scripts, add-ons, exports, and downstream systems still require configuration and review.
Will Google Forms sign a BAA?
Google Workspace customers must accept the applicable Google BAA and confirm that the exact managed account, services, users, storage, support path, and connected products are covered before collecting PHI through Forms.
Can Google Forms be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Does SOC 2 mean Google Forms is HIPAA compliant?
No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.
What should buyers verify before using Google Forms with PHI?
Whether the applicable Google Workspace BAA is accepted for the organization and Forms remains within current HIPAA Included Functionality. Who owns the form, response Drive files, linked Sheets, uploaded files, scripts, and exports, and which users or external guests can access them. Whether notifications, confirmation messages, Apps Script, add-ons, analytics, webhooks, and connected CRMs or EHRs stay inside covered scope. Whether retention, deletion, audit logs, account recovery, mobile access, support, and incident response are governed for the workflow.
Last checked and source notes
- Last checked
- 2026-07-16
- Confidence
- High
- Dataset rows
- 271 vendors
- Reviewed Google's HIPAA Included Functionality and Workspace Business Associate Addendum on 2026-07-16.
- The Included Functionality page showed an effective list dated May 14, 2026 when reviewed.
- ComplySaaS did not verify a private Google tenant, accepted BAA, form configuration, or customer-specific data flow.
- Google Workspace HIPAA Included Functionality
- Google Workspace HIPAA Business Associate Amendment