HIPAA · GCP Cloud Compliance
GCP HIPAA Compliance
Complete Implementation Guide
Build HIPAA-compliant healthcare applications on Google Cloud Platform. Learn about BAA coverage, Cloud Run, Healthcare API, serverless architecture, and implementation best practices.
Google Cloud's BAA is accepted in the Cloud Console and covers all in-scope GCP products — including serverless services like Cloud Run, Cloud Functions, and BigQuery.
45 CFR Part 164 · HHS OCR · GCP BAA via Cloud Console · Last reviewed June 2026
Direct Answer
You can run HIPAA-regulated PHI on Google Cloud by accepting its Business Associate Agreement (BAA) in the Cloud Console; the BAA covers a broad set of in-scope products, including serverless services such as Cloud Run and BigQuery. Under the shared responsibility model Google secures the infrastructure, while you remain responsible for encryption, access control, audit logging, and your application — so coverage alone does not make you compliant.
Cloud Console
GCP BAA Coverage
Google Cloud offers BAA coverage for ALL GCP services. This is unique among cloud providers.
Sign into GCP Console
Log in with admin credentials
Navigate to Compliance
Go to Compliance section in console
Review BAA Terms
All GCP services are covered under BAA
Accept BAA
Electronically accept the BAA agreement
Configure Services
Enable HIPAA-compliant configurations
Document Coverage
Maintain BAA documentation
Key Advantage: Unlike AWS and Azure, GCP covers ALL services under BAA, including Cloud Run, Cloud Functions, and BigQuery.
BAA Coverage
GCP HIPAA-Eligible Services
ALL GCP services are HIPAA-eligible. Here are the most commonly used for healthcare applications:
Healthcare
Cloud Healthcare API
FHIR, HL7v2, and DICOM data management
Compute
Cloud Run
Serverless containers for PHI processing
Storage
Cloud Storage
Object storage with encryption and retention
Database
Cloud SQL
Managed MySQL, PostgreSQL, SQL Server
Compute
Cloud Functions
Serverless functions for event-driven PHI workflows
Analytics
BigQuery
Data warehouse for healthcare analytics
Containers
GKE (Kubernetes Engine)
Managed Kubernetes with security controls
Security
Cloud KMS
Key management for encryption
Monitoring
Cloud Logging
Centralized logging and audit trails
Monitoring
Cloud Monitoring
Infrastructure and application monitoring
Network
VPC Service Controls
Security perimeter for sensitive data
Security
Cloud Armor
DDoS protection and WAF
Note: For complete documentation, visit GCP HIPAA Compliance
Serverless First
Serverless HIPAA Architecture on GCP
GCP excels at serverless HIPAA-compliant architectures with Cloud Run and Cloud Functions:
Cloud Run
API endpoints for PHI access
Auto-scaling, pay-per-use, fully managed
Cloud Functions
Event-driven PHI processing
Serverless, triggered by events, cost-effective
Cloud Healthcare API
FHIR/HL7v2/DICOM storage
Healthcare-specific, HIPAA-compliant by default
BigQuery
PHI analytics and reporting
Petabyte-scale, SQL interface, ML integration
Cloud Storage
Medical imaging and documents
Durable, encrypted, lifecycle management
VPC Service Controls
Data perimeter security
Prevent data exfiltration, context-aware access
Build It Right
GCP HIPAA Architecture Best Practices
Indicative Spend
GCP HIPAA Cost Estimates
Typical monthly costs for a serverless healthcare application on GCP:
| Service | Estimated Cost | Usage |
|---|---|---|
| Cloud Run (1M requests) | $0.40/month | Serverless API |
| Cloud SQL (db-n1-standard-1) | $25-40/month | Database |
| Cloud Storage (Standard) | $20/TB/month | PHI storage |
| Cloud Logging | $0.50/GB ingested | Audit logs |
| Cloud KMS | $0.06/key/month | Encryption keys |
| Healthcare API | $0.01/GB stored | FHIR data |
Total Estimated Cost: $100-300/month for a serverless HIPAA-compliant application. GCP's serverless offerings can be significantly cheaper than traditional VM-based architectures.
8-Week Plan
GCP HIPAA Implementation Timeline
Week 1-2: Planning & BAA
Sign GCP BAA, design serverless architecture, select services
Week 3-4: Infrastructure Setup
Configure VPC Service Controls, set up encryption, implement IAM, enable logging
Week 5-6: Application Deployment
Deploy Cloud Run services, configure monitoring, set up Healthcare API, test workflows
Week 7-8: Security & Compliance
Security assessment, penetration testing, compliance documentation, training
Who Owns What
GCP Shared Responsibility for HIPAA
Google secures the cloud; you secure what you run in it. The split below shows who owns each control for a typical PHI workload — the customer-owned rows are where most compliance gaps appear, even on serverless.
| Control Area | Owner | What it covers |
|---|---|---|
| Physical data-center security | Facilities, hardware, and global infrastructure | |
| Hypervisor & host isolation | Virtualization layer separating tenants | |
| Managed-service patching | Runtime patching for managed/serverless services (e.g. Cloud Run) | |
| Encryption (CMEK) | Customer | Managing customer-managed keys; encryption in transit |
| IAM & access management | Customer | Least-privilege roles, Identity-Aware Proxy, MFA |
| Audit logging (Cloud Audit Logs) | Customer | Enabling, retaining, and reviewing logs |
| Guest OS patching (GCE / IaaS) | Customer | Patching the OS on Compute Engine VMs |
| Application & data security | Customer | Secure code, input validation, PHI handling |
HIPAA is enforced by the US Department of Health and Human Services — see the HHS HIPAA portal for the Security Rule, and Google Cloud's HIPAA page for BAA coverage.
Frequently Asked Questions
How do I sign the Google Cloud HIPAA BAA?
A Google Cloud customer can request and accept the HIPAA Business Associate Agreement (BAA) through the Cloud Console (or via their Google Cloud account team for larger organizations). Once accepted, the BAA covers the in-scope GCP products, which is a broad set — including serverless services. Keep a record of the accepted BAA and restrict PHI to covered products.
Is Google Cloud HIPAA certified?
Google Cloud is not "HIPAA certified" — HIPAA has no certification scheme. Google signs a BAA and supports HIPAA across its covered products. Compliance is shared: Google secures the infrastructure, and you are responsible for configuring services correctly and documenting your controls through a Security Risk Assessment.
Does the GCP BAA really cover all services, including Cloud Run?
Google Cloud's BAA covers a broad set of in-scope products, and that scope notably includes serverless services such as Cloud Run, Cloud Functions, and BigQuery alongside Cloud Healthcare API, Cloud Storage, Cloud SQL, and GKE. Coverage can change, so always confirm a specific product against Google's current list of HIPAA-covered products before placing PHI on it.
What is my responsibility under GCP's shared responsibility model?
You own the security of your configuration and data: customer-managed encryption keys (CMEK), IAM least-privilege roles, Identity-Aware Proxy, Cloud Audit Logs, VPC Service Controls to prevent data exfiltration, guest-OS patching on Compute Engine, and your application code. Google secures the physical infrastructure and hypervisor.
Is GCP good for serverless HIPAA architectures?
Yes. Because Google Cloud's BAA covers serverless products like Cloud Run and Cloud Functions, GCP is well-suited to fully serverless, HIPAA-eligible architectures that auto-scale and bill per use. You still apply the same controls — CMEK encryption, IAM, audit logging, and a Security Risk Assessment — but you avoid managing and patching servers.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Cloud Compliance
Running PHI workloads on AWS, Azure and GCP compliantly.
Read moreHIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Security Rule
Administrative, physical and technical safeguards for ePHI.
Read moreBusiness Associate Agreements
What a BAA must contain and when you need one.
Read moreSOC 2 for Healthtech
Where SOC 2 meets HIPAA for healthcare SaaS selling into the US.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours