Google Voice, a convenient telephone service, includes voicemail, voicemail transcription to text, text messaging, and a variety of other useful features. For those reasons, it’s used by some healthcare professionals in both a personal and professional capacity.
But that professional use brings up an important question: Can Google Voice be used in a HIPAA-friendly manner? Should healthcare professionals use it?
Google Voice and HIPAA compliance
The answer is both simple and complex. If you discuss any protected health information (PHI) over Google Voice, you must ensure that patients’ personal information is protected.
But what does that mean in the context of Google Voice?
The HIPAA Omnibus Final Rule lays out the conditions of the “conduit exemption,” namely, that an organization that only transmits PHI is exempt from the HIPAA Security Rule. If the organization doesn’t fall under the “conduit exemption,” then it must meet HIPAA requirements.
If Google Voice is not a “conduit”, it can’t take advantage of the conduit exemption. This means a wide range of measures must be in place to protect data, such as access and authentication controls, secured transmissions, and proper data storage protocols.
Pro Tip
What makes Jotform the best Google Forms alternative? You can forms that help you comply with HIPAA while collecting patient health data securely.
What is a BAA?
A BAA is a legal document between a healthcare provider and a contractor or third-party service used by the healthcare organization. The BAA is designed to ensure that both parties adhere to strict guidelines to maintain the security of PHI.
The HIPAA Privacy Rule summary states that, “when a covered entity uses a contractor or other non-workforce member to perform ‘business associate’ services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement.”
When Google Voice was offered as a free service only, it wasn’t covered under Google’s BAA. The Google platforms that offer BAAs are G Suite, Google Apps, and Google Cloud.
However, Google Voice recently became available as a core service under G Suite and is available to all G Suite customers through an additional license. Because G Suite is covered under Google’s BAA, that means that Google Voice can be used by healthcare providers to communicate with patients and colleagues.
When using Google Voice in a professional capacity, administrators should obtain Google Voice licenses for users who handle PHI. And when used within a Google Meet, users should set calendar entries that contain PHI to private. In addition, admins should set external Calendar settings to “Only free/busy information” and internal Calendar sharing options to “No sharing” or “Only free/busy information.”
The bottom line? Google Voice is a great way for healthcare providers to implement telehealth and communicate with their patients and colleagues.
Send Comment:
3 Comments:
More than a year ago
Kind of irritating when a doctor's office has this I have been trying to call for the past 3 days to get my prescriptions filled I called them early due to me not receiving my meds on time with this Google Voice they can hear whenever I call buy me just stating my name and they refused to answer my calls this should be prohibited from doctors offices
More than a year ago
Thanks so much, George, for this helpful information. How does one go about contacting G Suite to obtain the BAA that will also cover Google Voice?
More than a year ago
I was told by G Suite that text messages and phone call are not encrypted. The BAA only covers data at rest within GV.