Google Workspace admin console security settings guide for Canadian therapists
Most Canadian therapists pick Google Workspace because it works. Calendar syncs, email is fast, and the whole suite talks to itself. But the admin console ships with defaults built for tech companies, not regulated health practices.
Canadian health privacy laws require custodians to take reasonable steps to protect personal health information (PHI). In Ontario, PHIPA s.12 spells this out; Alberta’s HIA and BC’s PIPA have comparable safeguard requirements. What counts as “reasonable” isn’t defined precisely in any of these statutes, but the Information and Privacy Commissioner of Ontario (IPC) has consistently interpreted it to include administrative, technical, and physical safeguards. Your admin console is where the technical safeguards live.
This guide walks through every security relevant setting you should check. Budget 30 to 45 minutes. You only need to do this once.
Before you start: check your Google Workspace edition
Not all editions support the same security features. The biggest gap: data region controls and the HIPAA Business Associate Amendment (BAA) are not available on Business Starter.
| Edition | BAA | Data regions | 2FA enforcement |
|---|---|---|---|
| Business Starter | No | No | Yes |
| Business Standard | Yes | Yes (fundamental) | Yes |
| Business Plus | Yes | Yes (fundamental) | Yes |
| Enterprise Standard | Yes | Yes (fundamental + add-on) | Yes |
| Enterprise Plus | Yes | Yes (full) | Yes |
If you’re on Business Starter, upgrade to at least Business Standard before continuing. The security features on Starter are too limited for a health practice.
To check your edition: Admin console > Account > Subscriptions.
Sign the HIPAA Business Associate Amendment
Google calls this the “HIPAA Business Associate Amendment,” not a BAA or BAA agreement. It’s a contract addendum that commits Google to specific data handling obligations under HIPAA. While HIPAA is a US law, signing the BAA is the closest equivalent to a data processing agreement for health data in Google Workspace. Without it, Google has no contractual obligation to treat your data as health information.
Path: Admin console > Account > Account settings > Legal and compliance
Under “Security and Privacy Additional Terms,” find the Google Workspace/Cloud Identity HIPAA Business Associate Amendment. Click “Review and Accept.” You’ll answer three confirmation questions about being a covered entity, then click “I Accept.”
This takes two minutes and costs nothing. There is no reason to skip it.
What the BAA covers: Gmail, Calendar, Drive (Docs, Sheets, Slides, Forms), Chat, Meet, Keep, Sites, Tasks, Vault, Voice, Groups, Cloud Identity Management, Apps Script, AppSheet, and Gemini features.
Check data region settings
This is where honesty matters. Google Workspace data regions let you choose where your primary data is stored at rest. The available options are:
- United States
- Europe
- No Preference (default)
Canada is not an option. Google’s data region documentation confirms only US, Europe, and No Preference are available. There is no way to force Google to store your email, Drive files, or Calendar data on Canadian servers. “No Preference” means Google stores data wherever it sees fit, which usually means the US.
Path: Admin console > Data > Compliance > Data regions
If you’re on Business Standard or higher, you can at least pick a region. For Canadian therapists, the honest assessment: none of the options keep your data in Canada. Setting “United States” at least gives you a known jurisdiction. “No Preference” gives you uncertainty.
This is the core tension of using Google Workspace for health data. Google’s infrastructure is excellent. Its data residency options are not built for Canadian privacy law. No Canadian health privacy statute (PHIPA, HIA, or PIPA) explicitly mandates Canadian storage, but the IPC in Ontario has flagged cross border data storage as a factor in assessing whether safeguards are “reasonable.” Note that BC’s PIPA has no statutory data residency mandate and allows cross border transfers, though market expectations for Canadian hosting remain strong.
What you can do: document your decision. Record that you reviewed the data region options, that Canada was not available, and that you chose the best available alternative. This documentation helps demonstrate due diligence if a complaint is ever filed.
Enforce 2-step verification for all users
This is the single highest impact setting in the console. If someone gets your password, 2-step verification (2SV) stops them from getting into your account. Google reports that 2SV blocks the majority of automated account takeover attempts.
Path: Admin console > Security > Authentication > 2-step verification
- Leave the top level organizational unit selected (this applies to all users)
- Check “Allow users to turn on 2-Step Verification”
- Under Enforcement, select “On”
- Set a new user enrollment period (7 days is reasonable) so new staff have time to set up their authenticator
- Under Methods, consider restricting to security keys or authenticator apps (SMS codes are the weakest option)
- Click Save
After enforcement, any user who hasn’t enrolled in 2SV gets locked out at next login until they set it up. Warn your staff before you flip this switch.
If you’re a solo practitioner, this still matters. Enforce it on your own account. It takes three minutes and protects every piece of client data in your inbox.
Review Drive sharing permissions
Default Drive sharing settings are too open for a health practice. The risk: a therapist accidentally shares a clinical document with “Anyone with the link,” and that document becomes accessible to anyone on the internet.
Path: Admin console > Apps > Google Workspace > Drive and Docs > Sharing settings > Sharing options
Key changes to make:
- Sharing outside your organization: Set to “Off” if you never need to share files externally. If you do share with other practitioners, set to “Allowlisted domains” and add only the domains you work with.
- Warning when sharing outside org: Turn this on. It adds a confirmation dialog before any external share.
- Default link sharing: Set to “Restricted” (only people explicitly added can access). Never allow “Anyone with the link” as a default.
These settings apply org wide. Individual users can still share within the organization freely, but external sharing gets a guardrail.
Review Calendar sharing settings
Calendar events for a therapy practice contain PHI by nature: client names, appointment times, session types. Leaking a calendar is leaking a client list.
Path: Admin console > Apps > Google Workspace > Calendar > Sharing settings
- External sharing for primary calendars: Set to “Only free/busy information (hide event details)” or “No sharing”. Never allow full event details to be visible externally.
- Internal sharing: “Only free/busy information” is safest. If you’re solo, this doesn’t matter since there’s no one else in the org.
Configure email compliance settings
Gmail’s compliance settings let you add rules for how email is handled. For a therapy practice, the most relevant settings are:
Path: Admin console > Apps > Google Workspace > Gmail > Compliance
- Secure transport (TLS) compliance: This forces TLS encryption for emails sent to or received from specific domains. If you regularly exchange PHI with a specific clinic or organization, add their domain here. This ensures those emails are encrypted in transit.
- Append footer: Add a confidentiality disclaimer to outgoing messages. This is not legally binding, but it’s a standard practice expectation. Something like: “This email may contain confidential health information intended only for the named recipient.”
- Content compliance: You can create rules that detect keywords and reject, quarantine, or modify messages. Useful if you want to flag outgoing emails that mention specific clinical terms.
Path: Admin console > Apps > Google Workspace > Gmail > Safety
Review the phishing and spoofing protections here. Most defaults are fine, but confirm that:
- SPF authentication is enforced
- DKIM signing is enabled
- DMARC policy is set
These protect your domain from impersonation. A therapist’s email address being spoofed could cause real harm to client trust.
What these settings don’t cover
After working through this guide, your admin console is tighter than most therapy practices running Google Workspace. But there are gaps that no amount of console configuration can close:
No email encryption at rest. Google encrypts data at rest with its own keys, but you (or your clients) don’t control those keys. If Google is compelled by a US court to decrypt, the BAA doesn’t override a legal order.
Outbound email encryption has a related gap: TLS compliance only works when the receiving server supports TLS. If a client’s personal email provider doesn’t support TLS, the message goes unencrypted. You have no way to know this happened.
No audit trail for College of Registered Psychotherapists of Ontario (CRPO) compliance. CRPO Standard 5.6 requires records of who accessed what and when, including change history and access logs. Google Workspace has some logging in the admin console (Admin console > Reporting > Audit and investigation), but it doesn’t produce the kind of structured, immutable audit trail that CRPO expects.
No consent tracking. PHIPA (and comparable provisions in HIA and PIPA) requires documented consent for electronic communication of PHI. Nothing in the admin console tracks whether a client consented to email communication.
No AI data processing controls. Smart Compose, Smart Reply, Gemini, and other AI features process your email content by default. The IPC’s January 2026 guidance on AI scribes states that consent is “generally required” for AI processing of health information. Disabling these features is a separate task, and one worth doing. See our guide on how to disable AI features in Google Workspace for the full walkthrough.
What to do next
You’ve closed the biggest gaps. The settings above bring your Google Workspace from “default” to “configured for a health practice.” That matters.
If you haven’t already, work through the AI features guide next. Between these two posts, you’ll have covered the most important admin console settings for a Canadian therapy practice.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
