Google Sheets is not HIPAA compliant by default. Google Sheets can be HIPAA compliant, but only with a signed BAA under a Business or Enterprise Google Workspace that is specifically set up for HIPAA compliance - including how data is transmitted to and from Google Sheets.
If you need to work with PHI in spreadsheets, consider using Row Zero. Row Zero is a HIPAA compliant spreadsheet application with robust security features to help enforce HIPAA compliance. Row Zero is a secure alternative to Google Sheets and Excel for healthcare organizations and large enterprises.
In this guide, we'll cover several topics including:
- Is Google HIPAA compliant?
- Ways that using Google Sheets can violate HIPAA
- How to make Google Sheets HIPAA compliant
- Row Zero - a HIPAA compliant Google Sheets alternative
Is Google Sheets HIPAA compliant?
Google Sheets is not HIPAA compliant by default, but can be set up for HIPAA compliance on a paid Google Workspace plan (Business or Enterprise) with a signed BAA with Google. The free/personal version of Google Sheets is not HIPAA compliant, so it's important that employees never copy or transfer data from a compliant Google Sheet to a personal Google Sheet. Note that even if Google Sheets is set up to be HIPAA compliant, employees may still use Google Sheets in a way that violates HIPAA. Below we outline some ways that Google Sheets use may violate HIPAA along with ways to make Google Sheets HIPAA compliant.
How can using Google Sheets violate HIPAA?
There are many ways people may use Google Sheets that may violate HIPAA compliance. The biggest risks with Google Sheets and HIPAA are data transfer in and out of Google Sheets, human errors around sharing and exporting data, inadequate setup, and using non-compliant add-ons or integrations. Here are a few potential HIPAA violations to look out for:
Using Google Sheets for handling PHI without a signed BAA - You must have a signed Business Associates Agreement (BAA) with Google when PHI is involved. If you don't have a signed BAA, your use of Google Sheets violates HIPAA.
Unencrypted transmission of data to Google Sheets - Even if you set up Google Sheets for HIPAA compliance, you must ensure that data is securely transmitted from its source to Google Sheets.
Downloading, copying, sharing, or copy and pasting any data containing PHI from Google Sheets to another tool or service that is not covered by a signed BAA or does not encrypt the data. This includes tools used within the organization as well as personal Google accounts, personal devices, or communication channels outside the enterprise.
Public or broad sharing - you must restrict access to PHI-containing spreadsheets by user and enforce role-based permissions so that only authorized personnel see the data they are authorized to see. As a simple check, click share on a Google Sheet - you should see "Restricted" under "General access" by default.
Inadequate setup – Organizations must proactively configure Google Sheets for HIPAA compliance - enable logging in Workspace Admin Console, make Sharing "Restricted" by default, require 2FA/MFA, etc.
Excessive PHI in Google Sheets – HIPPA includes a "minimum necessary" rule. PHI should only be used when necessary and you should de-identify data when possible.
Unauthorized add-ons/integrations/apps scripts – Any add-on or tool used in conjunction with Google Sheets and PHI must also be HIPAA compliant and be under a signed BAA.
Untrained users – Even if you set up Google Sheets to be HIPAA compliant, employees may still violate HIPAA by mishandling PHI in spreadsheets due to lack of training. You should provide Google Sheets HIPAA compliance rules and training to employees.
How to make Google Sheets HIPAA compliant
While the basic/free version of Google Sheets is not HIPAA compliant, you can set up Google Sheets to be HIPAA compliant. Below we outline some steps to take, but it's always important to have security and legal professionals regularly review your particular setup and usage to ensure you are maintaining HIPAA compliance with Google Sheets.
1. Sign a BAA with Google under a Business or Enterprise Google Workspace plan
- Sign a Business Associate Agreement (BAA) with Google (available on the Business and Enterprise tiers of Google Workspace) along with any other tools, add-ons, or services you'll use in conjunction with Google Sheets to handle PHI. Confirm the BAA explicitly covers Google Sheets and Google Drive.
- Ensure no employees are using the free version of Google Sheets or a personal Google account outside of the organization's Google Workspace plan to work with PHI. Free and personal Google Sheets accounts are not HIPAA compliant.
2. Secure Storage & Access Controls
- Sheets must be stored only in Google Drive under your Workspace account with strong access controls.
- The default sharing setting should be "Restricted" on every spreadsheet.
- Sheets should only be shared with named users within the organization's Workspace account (no sharing to personal accounts, public links, or “anyone with the link” access).
- Restrict PHI access to only authorized workforce members that need to see the data.
- Require 2FA/MFA for all accounts accessing PHI.
3. Encryption and Data Transfer
- Google encrypts data at rest and in transit by default, which meets the HIPAA technical safeguard requirements.
- Organizations should ensure that data is securely transmitted to Google Sheets in the first place (e.g. secure connection to a data warehouse)
- Organizations should implement policies to prevent downloading or exporting Sheets as CSV or .XLSX files.
4. Audit and Logging
- Admins should enable detailed logging in Google Workspace Admin Console to monitor access and changes.
- Use Data Loss Prevention (DLP) rules where possible to prevent improper sharing or downloading.
- Regularly review access logs for suspicious activity.
- Set up alerts for unusual downloads or sharing events.
5. Limit Integrations and Add-ons
- Disable or strictly control third-party add-ons. You must have a separate BAA with any add-on or app that will interact with PHI and those add-ons must also be HIPAA compliant.
6. Data Minimization & De-Identification
- Apply the HIPAA “minimum necessary” rule — only use PHI that is necessary for the task.
- Use de-identification or pseudonymization when possible (e.g. email hashes and IDs instead of names).
7. Device & Session Security
- Require use of corporate-managed devices with endpoint protection.
- Enable automatic screen locks, inactivity timeouts, and auto log-outs.
8. Retention & Disposal
Define retention and disposal policies for PHI spreadsheets and ideally automate enforcement.
9. Training & Policies
Provide regular HIPAA training on handling PHI in Google Sheets. In particular, re-enforce:
- No downloading spreadsheets with PHI without encryption.
- No sharing spreadsheets outside approved channels.
- No copying and pasting PHI out of the workspace Google Sheets to an unapproved channel or tool (including personal Google Sheets).
- Avoid entering PHI directly into Google Sheets or using Google Sheets as the system of record for PHI
10. Review & Test Regularly
- Perform periodic audits of Google Workspace access permissions.
- Test DLP rules to ensure PHI cannot leak.
- Update policies as Google releases new compliance features.
- Have a legal and security professional who is familiar with your use case regularly review and audit your Google Sheets use with PHI.
As you can see, there are many steps to make Google Sheets HIPAA compliant and it is an ongoing process to maintain HIPAA compliance with Google Sheets.
Row Zero - a HIPAA compliant Google Sheets alternative
Row Zero is a HIPAA compliant spreadsheet application with advanced security features to help enforce and maintain HIPAA compliance. Row Zero spreadsheets are only accessible via secure login (e.g. SSO) and row-level security is enforced from the data warehouse, so users can only see data they are authorized to see. Spreadsheets securely connect directly to the data warehouse. There are no files. Data never leaves the cloud. Organizations can restrict data export, sharing, and copy/paste. Row Zero also supports much bigger datasets than the Google Sheets limits, so teams can easily work with big data in a secure spreadsheet. Row Zero will sign a BAA upon request for Business and Enterprise tiers.
Conclusion
Google Sheets is not HIPAA compliant by default, but you can set up Google Sheets to be HIPAA compliant with a signed BAA on Google Workspace (Business or Enterprise) with encryption, access controls, audit logging and tracking, Data Loss Prevention (DLP), and user training all in place. If you don't proactively take these steps, your Google Sheets usage may violate HIPAA.
If your organization needs a HIPAA compliant spreadsheet, consider using Row Zero. Row Zero is a secure spreadsheet with advanced security features to help enforce HIPAA compliance. Row Zero is a secure alternative to Google Sheets for enterprises and healthcare organizations. You can try Row Zero for free or schedule a demo to explore enterprise features.
Note: You should always have a legal and security team review your particular set up and use case to ensure that your spreadsheets are HIPAA compliant.