Yes, Looker can be HIPAA compliant. Because Looker is a Google Cloud product, you cover it under the Google Cloud Business Associate Agreement (BAA), and Google supports HIPAA within that agreement. But coverage is scoped to specific services, Looker’s Gemini AI features need extra scrutiny, and you carry significant configuration responsibility.
Quick Summary (TL;DR)
- Looker supports HIPAA compliance under the Google Cloud BAA. You must execute Google’s HIPAA BAA before putting PHI into Looker.
- The BAA covers Looker under a Looker Hosted Deployment. Services on Google’s “Excluded Services” list are not covered, and you must avoid using them with PHI.
- Google Cloud maintains extensive compliance attestations, including SOC reports and HITRUST coverage for eligible services.
- You hold meaningful responsibility under the shared model: regular access audits, encrypted database connections, and least-privilege database permissions.
- Looker’s Gemini AI features need separate attention. The consumer version of Gemini is never appropriate for PHI, while enterprise Gemini through Vertex AI can support HIPAA workloads inside your own Google Cloud environment when configured with covered services.
- Looker requires LookML modeling and a Google Cloud commitment. Those are adoption costs, not compliance gaps, but they shape who Looker fits.
- A BAA makes Looker usable for PHI. Whether your deployment stays compliant depends on configuration, which services you enable, and how AI features touch data.
Table of Contents
What “HIPAA Compliant” Means for a BI Tool
No analytics platform is “HIPAA certified.” HIPAA has no certification body. A vendor that processes Protected Health Information (PHI) for you is a business associate, and the law requires a signed BAA between you and that vendor.
The BAA is the contract that allows a tool to touch PHI. It is required, but it does not make you compliant by itself. HIPAA-compliant analytics also depends on deployment, configuration, and which features you turn on. You can have a valid BAA and still create a violation by misconfiguring access or enabling a service the BAA does not cover.
So for Looker, the useful question is not only “is there a BAA.” It is “what does the BAA cover, what stays on you, and how do the AI features handle PHI.”
Does Looker Sign a BAA?
Yes, through Google Cloud. Looker is a Google Cloud product, so HIPAA coverage comes from the Google Cloud BAA for Looker Services, not a separate Looker contract. You request the BAA from your Google Cloud account manager and execute it before working with PHI.
Google states it supports HIPAA compliance within the scope of the BAA, and that customers are ultimately responsible for evaluating their own compliance. Organizations must execute Google’s HIPAA BAA before processing PHI. The BAA covers Looker under a Looker Hosted Deployment.
What the Looker BAA Does Not Cover
The BAA excludes services on Google’s “Excluded Services” list. Google’s instruction is direct: you must disable or otherwise ensure you do not use services that are not covered by the BAA when working with PHI.
In practice, that means reviewing every connected service, integration, and feature against the covered list before it touches regulated data. Anything outside the list needs its own BAA or needs to be kept away from PHI entirely.
Your Responsibilities Under the Looker BAA
Looker runs a shared-responsibility model, and Google places a meaningful share on the customer. You control the environment, the configuration, the connected applications, and how users access PHI.
Customer responsibilities under the shared model include:
- Auditing users, groups, permissions, roles, API keys, public links, and access controls on a regular cadence.
- Ensuring all connections to databases are encrypted in transit.
- Following least-privilege principles and restricting database permissions appropriately.
- Governing how users access PHI and monitoring activity over time.
This is not unusual for cloud BI, but it is real operational work. The compliance burden does not end when the BAA is signed. It becomes a recurring audit and configuration discipline.
Looker AI (Gemini) and PHI
Looker’s AI features run on Google’s Gemini models, and AI is where healthcare teams should slow down. The free, consumer version of Gemini is not covered by a BAA and should never see PHI.
Enterprise Gemini through Vertex AI is a different story. Vertex AI operates within your own Google Cloud environment and can support HIPAA workloads when used with covered services and configured appropriately. That is a workable setup, but it depends on using the enterprise path and confirming the specific feature is covered by your BAA.
The takeaway: do not assume an AI feature is in scope because the core platform is. Confirm in writing how any Looker AI capability handles PHI before enabling it on regulated data.
The Google Cloud Lock-In Factor
Looker’s HIPAA story is inseparable from Google Cloud. Coverage flows through the Google Cloud BAA, the infrastructure is Google’s, and Looker analysis depends on building a LookML semantic model first.
For a healthcare organization already standardized on Google Cloud with a team that knows LookML, that alignment is an advantage. For a team that runs elsewhere, or wants PHI and AI to stay inside its own walls regardless of cloud, the Google Cloud dependency is a constraint to weigh up front.
Looker vs Knowi for HIPAA-Compliant Analytics
Knowi is an analytics platform that queries data directly across SQL, NoSQL, and APIs, and can run its AI engine inside your own deployment. Here is an honest comparison on the dimensions that drive HIPAA risk. For a wider view, see our roundup of HIPAA-compliant analytics platforms.
| Dimension | Looker | Knowi |
|---|---|---|
| BAA | Covered under the Google Cloud BAA for a Looker Hosted Deployment. Excluded Services are not covered. | Signed BAA available for regulated deployments. |
| Deployment | Google Cloud hosted. Coverage and infrastructure tie to Google Cloud. | On-premise via Docker and Kubernetes, cloud, or inside your own VPC. No single-cloud lock-in. |
| AI and PHI | Consumer Gemini is not covered for PHI. Enterprise Gemini via Vertex AI can be configured for HIPAA inside your Google Cloud project. | Private AI runs the AI engine inside your own deployment, on-premise or in a secure cloud, supporting natural language query with no PHI sent to third-party LLMs. |
| Modeling layer | LookML semantic model required before analysis. | Query directly across sources with no required modeling layer. |
| Customer responsibility | Heavy: regular access audits, encrypted database connections, least-privilege database permissions, and ongoing governance. | Encryption, role-based access, and comprehensive audit logging, with a direct-to-database architecture. |
| Data movement | Runs within Google Cloud; in-database querying available, but the Google Cloud environment is in scope. | Native querying without ETL, which reduces PHI movement and the number of copies to audit. |
The core difference: Looker can be made HIPAA compliant, but its model assumes Google Cloud and a LookML layer, and its AI path runs through Google’s services. Knowi is designed to keep PHI and AI inside your environment, on the infrastructure you choose. For pricing and functionality, see the full Knowi vs Looker comparison.
So, Is Looker HIPAA Compliant?
Looker can be used in a HIPAA-compliant way. Google supports it under the Google Cloud BAA, the infrastructure carries broad compliance attestations including SOC reports and HITRUST coverage for eligible services, and the platform offers the encryption and access controls regulated teams need. For a Google Cloud organization with LookML skills, it is a reasonable choice.
The qualifiers matter. Coverage is scoped to specific services, the AI features need their own review, and the customer carries a recurring audit and configuration load. If your goal is to keep PHI and AI processing inside your own environment without committing to a single cloud, evaluate the deployment model and AI data handling as carefully as the BAA itself.
Frequently Asked Questions
Does Looker sign a BAA?
Yes, through Google Cloud. You request the Google Cloud BAA from your account manager and execute it before using PHI. The BAA covers Looker under a Looker Hosted Deployment and excludes services on Google’s Excluded Services list, which you must not use with PHI.
Can Looker store PHI securely?
Looker can be used with PHI under the Google Cloud BAA, on infrastructure that carries SOC and HITRUST attestations for eligible services. Looker typically queries data in the underlying warehouse rather than copying it, which can reduce duplicate PHI stores, but you remain responsible for encryption in transit, least-privilege database access, and audit controls.
Does Looker require Google Cloud to be HIPAA compliant?
Yes. Looker’s HIPAA coverage flows through the Google Cloud BAA and the platform runs on Google Cloud infrastructure. Healthcare teams that are not on Google Cloud, or that want to avoid single-cloud dependency, should factor that into the decision.
Can Looker’s Gemini AI features be used with PHI?
It depends on the version. The consumer version of Gemini is not covered by a BAA and should never be used with PHI. Enterprise Gemini through Vertex AI operates within your own Google Cloud environment and can support HIPAA workloads when configured with covered services, but confirm the specific feature is covered by your BAA before enabling it on PHI.
What are my responsibilities under the Looker BAA?
Google places significant responsibility on the customer. You are responsible for auditing users, permissions, roles, API keys, and access controls on a regular cadence, ensuring database connections are encrypted in transit, following least-privilege principles for database permissions, and governing how users access PHI.
Is Looker or Knowi a better fit for healthcare?
It depends on your architecture priorities. Organizations should compare deployment model, data movement, AI processing, and BAA scope. Looker ties coverage and infrastructure to Google Cloud and routes AI through Google’s services. Knowi is one option designed to keep AI and PHI inside the customer’s environment, on-premise or in a secure cloud, without sending data to third-party LLMs.
If you are evaluating analytics for PHI and want to keep data and AI inside your own environment, schedule a Knowi demo to see HIPAA-ready, on-premise analytics with Private AI in action. You can also read how Knowi runs AI analytics on patient data without third-party LLMs or compare options in our guide to Looker alternatives in 2026.