Vendor documentation review

Is Google Forms HIPAA Compliant? (2026 Verdict)

Conditionally

Google Forms can handle PHI only through a managed Google Workspace or Cloud Identity account with Google's BAA accepted and covered services configured correctly.

Last verified:

At a glance

BAA available
Yes
Plan required
Managed Google Workspace or Cloud Identity account
Configuration required
Accept the BAA in Admin console, restrict sharing, and keep PHI out of add-ons and other services not covered by the BAA.
Category
Forms
Official site
Visit Google Forms

What Google says officially

Google treats Forms as part of a larger managed Workspace environment, not as a stand-alone healthcare product. Google’s current HIPAA Included Functionality list names Google Drive and specifically includes Google Forms, responses, Docs, and Sheets among covered services. That coverage applies under the relevant Google Workspace HIPAA Business Associate Addendum.

Google’s HIPAA compliance guidance adds the conditions that matter. A Google Workspace or Cloud Identity customer that plans to use PHI must accept the BAA through the Admin console. Customers that have not signed it must not use PHI in those services. Google also says the BAA does not extend to Additional Google Services or third-party applications, including add-ons.

The BAA terms put configuration responsibility on the customer. The organization must use available controls so PHI stays within covered services. That is why the verdict is conditional even though Forms appears on the covered list.

What this means for a medical practice

A practice might build a pre-visit form that asks for the patient’s name, appointment date, symptoms, current medication, and insurance details. The response may be saved in Forms and linked to a Google Sheet. Those two parts can sit inside Google’s covered functionality when the managed organization has accepted the BAA.

The workflow becomes less clear when someone installs an add-on to send the response to a CRM, exports it to a personal Drive account, turns on broad link sharing, or emails the Sheet to an outside address. The Google BAA does not follow PHI into every product that connects to Forms. Each transfer creates another vendor and access decision.

Consumer accounts are another common failure point. A form created from @gmail.com may look identical to one created inside the practice’s managed domain, but it is not backed by the organization’s accepted Workspace BAA. The logo and form fields do not reveal that difference to the patient.

Map the form as part of the wider HIPAAconscious website data flow , including who owns it, where responses land, and who can share them. If this is an intake or follow-up form, design it as part of the patient engagement process rather than leaving a spreadsheet with no operational owner.

How to use it safely

  1. Create the form inside the practice’s managed Google Workspace or Cloud Identity domain.
  2. Have a super administrator review and accept Google’s HIPAA BAA in the Admin console before the form receives PHI.
  3. Confirm Forms, Drive, and Sheets remain on Google’s current Included Functionality list.
  4. Restrict the form, response Sheet, and Drive files to the minimum necessary staff. Avoid public or “anyone with the link” access for PHI.
  5. Remove third-party add-ons unless the practice has separately reviewed the vendor, data flow, and required agreement.
  6. Test notifications, sharing, exports, and staff access with synthetic data. Document the form owner and a process for removing access when roles change.

Google provides the covered service and administration controls. The practice remains responsible for choosing and maintaining them.

Compliant alternatives

Jotform is a more form-specific alternative when the practice wants a guided healthcare migration and an account-level review of unsupported widgets and integrations. Its BAA path requires Gold or Enterprise, so the best choice depends on whether the practice already manages Google Workspace well.

Bottom line

Google Forms can support a HIPAA-compliant workflow inside a managed Workspace environment with the BAA accepted. Do not collect PHI through a consumer account, and do not assume add-ons or external destinations inherit Google’s agreement.

Frequently asked questions

Does Google's BAA cover Google Forms?

Yes. Google lists Forms, through Google Drive, as Included Functionality under the applicable Google Workspace HIPAA BAA.

Can a free consumer Google account collect PHI in Google Forms?

No. Google's documentation says customers that have not signed its BAA must not use PHI in Google Workspace or Cloud Identity services.

Are Google Forms add-ons covered by Google's BAA?

No. Google states that third-party applications, including add-ons, are not Included Functionality under its Workspace BAA.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review