Is Google Voice HIPAA compliant?

Google Voice, a convenient telephone service, includes voicemail, voicemail transcription to text, text messaging, and a variety of other useful features. For those reasons, it’s used by some healthcare professionals in both a personal and professional capacity.

But that professional use brings up an important question: Is Google Voice HIPAA compliant? And should healthcare professionals use it?

Google Voice and HIPAA compliance

The answer is both simple and complex. If you discuss any protected health information (PHI) over Google Voice, you must ensure that patients’ personal information is protected.

But what does that mean in the context of Google Voice?

The HIPAA Omnibus Final Rule lays out the conditions of the “conduit exemption,” namely, that an organization that only transmits PHI is exempt from the HIPAA Security Rule. If the organization doesn’t fall under the “conduit exemption,” then it must meet HIPAA requirements.

Google Voice is not defined as a “conduit” and, therefore, isn’t exempt from HIPAA compliance. This means a wide range of measures must be in place to protect data, such as access and authentication controls, secured transmissions, and proper data storage protocols.

In addition, a Google Voice user must get a signed business associate agreement (BAA) with Google before the service can be used in conjunction with personal health information.

What is a BAA?

A BAA is a legal document between a healthcare provider and a contractor or third-party service used by the healthcare organization. The BAA is designed to ensure that both parties adhere to strict guidelines to maintain the security of PHI.

The HIPAA Privacy Rule summary states that, “when a covered entity uses a contractor or other non-workforce member to perform ‘business associate’ services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement.”

In this case, Google Voice is a covered entity, and any healthcare provider using Google Voice must get a signed BAA from Google.

So is Google Voice HIPAA compliant?

When Google Voice was offered as a free service only, it wasn’t covered under Google’s BAA. The Google platforms that offer BAAs are G Suite, Google Apps, and Google Cloud. Because Google Voice wasn’t part of any of those, it wasn’t a HIPAA-compliant service.

However, Google Voice recently became available as a core service under G Suite and is available to all G Suite customers through an additional license. Because G Suite is covered under Google’s BAA, that means that Google Voice is now HIPAA compliant and can be used by healthcare providers to communicate with patients and colleagues.

When using Google Voice in a professional capacity, administrators should obtain Google Voice licenses for users who handle PHI. And when used within a Google Meet, users should set calendar entries that contain PHI to private. In addition, admins should set external Calendar settings to “Only free/busy information” and internal Calendar sharing options to “No sharing” or “Only free/busy information.”

The bottom line? Google Voice — like other HIPAA-compliant software — is a great way for healthcare providers to implement telehealth and communicate with their patients and colleagues. Because it’s HIPAA compliant, you can rest assured that all PHI is protected and that your communication is safe and secure, which helps you build trust with your patients now and in the future.