// Trust & Security Report

    Alphabet Inc. (Google) logo

    Alphabet Inc. (Google)

    Google Health consumer platform including Google Health app, Google Health Labs (experimental), Health Coach (Gemini-powered AI), health research tools, and health information services. Distinct from Google Cloud Healthcare API (enterprise).

    Certifications held

    0

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 5 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence of SOC 2 certification for the consumer Google Health app. SOC 2 certifications are available for Google Cloud services, but the consumer health platform lacks published security certifications.

    source: health.google
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification for Google Health consumer app. While Google Cloud holds ISO 27001, the consumer health platform does not have documented certification.

    source: health.google
    HIPAA
    NOT CONFIRMED

    Explicitly NOT HIPAA-protected for the consumer product. Verbatim from Google's Google Health privacy FAQ: 'For users in the United States, when you request your medical records be sent from your provider to Google Health, or when you upload records manually, they are no longer subject to the protections of the federal Health Information Portability and Accountability Act (HIPAA).' (Google's page uses this exact phrasing; note HIPAA formally stands for Health Insurance Portability and Accountability Act.) This is intentional: consumer Google services are excluded from HIPAA scope.

    source: support.google.com
    GDPR
    NOT CONFIRMED

    Google Cloud maintains GDPR compliance, but the consumer Google Health app does not have a published GDPR certification. Data handling follows Google's standard privacy policies and applicable local laws outside the US, but no specific GDPR certification or Data Processing Agreement published for the consumer product.

    source: health.google
    FedRAMP
    NOT CONFIRMED

    No evidence of FedRAMP certification for Google Health consumer app. FedRAMP applies to Google Cloud services, not consumer health products.

    source: cloud.google.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Users control where their data is stored, with regional options available. Encryption in transit and at rest provided. Outside US, data is governed by local privacy and data protection laws.

    Google does not restrict AI model training on Google Health consumer data. Google states they may collect publicly available health information to train AI models. However, no explicit commitment made regarding use of Google Health app user data for training purposes. The product includes AI features (Health Coach via Gemini) but training restrictions are not documented.

    // Security controls

    Encryption

    All data encrypted during transmission and storage

    health.google

    Authentication

    Two-step authentication available to secure accounts

    health.google

    Data Control

    Users can access, download, and delete data from settings; can leave Google Health at any time

    support.google.com

    Ads Targeting

    Google explicitly does not use health data for ads targeting

    health.google

    Third-party Security Review

    No published third-party security audit or penetration test results found for consumer product

    health.google

    // Products & data scope

    Google Health AppConsumer Health Platform

    data: Personal health records, biometric data (steps, heart rate, sleep), medical records, health tracking, AI health coaching

    Core consumer product. Stores medical records but NOT HIPAA-compliant. Includes Gemini-powered Health Coach for personalized guidance.

    Google Health LabsExperimental/Research

    data: Limited to eligible users, may include lab studies and experimental features

    Preview features available to limited set of users. May require Premium subscription. Explicitly states AI responses may be inaccurate or offensive.

    Google Health ResearchResearch Platform

    data: Opt-in health studies and research data

    Google commits to not selling research data and not using it for ads. Governed by study-specific informed consent forms.

    Google Cloud Healthcare APIEnterprise/HIPAA-eligible (separate product)

    data: Enterprise health data, PHI with proper BAA in place

    DISTINCT from consumer Google Health app. Is HIPAA-eligible when properly configured with BAA, SOC 2 certified, ISO 27001 certified. Not part of health.google product family.

    // What to watch

    • IDENTITY-CONFLATION RISK: Google Health (consumer app at health.google) is DISTINCTLY SEPARATE from Google Cloud services and should not be assumed to inherit enterprise compliance certifications (SOC 2, ISO 27001, HIPAA, FedRAMP). The consumer product explicitly lacks these certifications.
    • OVER-CLAIM EXPOSURE: Marketing and press materials may imply healthcare-grade security because Google is an enterprise company, but the consumer product lacks published third-party security certifications and explicitly is NOT HIPAA-compliant.
    • HIPAA NON-COMPLIANCE: Google's own documentation explicitly states medical records in Google Health are NOT protected by HIPAA after being stored in the app. This is intentional—consumer Google services are intentionally excluded from HIPAA scope. Healthcare providers or organizations may illegally upload PHI to this product, creating compliance liability.
    • AI TRAINING AMBIGUITY: No explicit commitment against using consumer health data for AI model training. Google's general privacy policy permits using publicly available data for model training. Opt-out mechanisms for Health Labs AI features not clearly documented.
    • LIMITED CERTIFICATIONS: No SOC 2, ISO 27001, GDPR certification, or published Data Processing Agreement (DPA) for the consumer product. Only encrypted transit/storage and 2FA offered as security controls.
    • NO FORMAL TRUST CENTER: Unlike Google Cloud, the consumer Google Health product has no published trust center, no compliance matrix, and limited security documentation.
    • MEDICAL RECORDS LIABILITY: Explicit statement that HIPAA protections are waived creates legal risk for health professionals and patients using this for regulated health information.
    • AI GOVERNANCE: Google Health Coach and Labs use Gemini AI, but no published framework for AI governance (e.g., ISO/IEC 42001, CSA STAR AI). Explicit disclaimers that 'AI-generated responses may include inaccurate or offensive information' and 'should not be used for medical advice.'

    // At a glance

    Pricing model

    Consumer app with free tier; premium version available; Google One integration possible

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Alphabet Inc. (Google)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    health.google

    > Browse all vendor trust reports