Google Voice, a convenient telephone service, includes voicemail, voicemail transcription to text, text messaging, and a variety of other useful features. For those reasons, it’s used by some healthcare professionals in both a personal and professional capacity.
But that professional use brings up an important question: Is Google Voice HIPAA compliant? And should healthcare professionals use it?
Google Voice and HIPAA compliance
The answer is both simple and complex. That’s because if a service like Google Voice is used in conjunction with any protected health information (PHI), it has to be done in a way that protects the personal information of patients.
What does that mean, exactly?
The service has to be “covered by the conduit exemption rule,” which was spelled out when the HIPAA Omnibus Final Rule went into effect, or otherwise incorporate a variety of safeguards and controls to guarantee it meets the strict requirements of the HIPAA Security Rule.
This includes access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through Google Voice. The service also needs to ensure that any data stored on its servers is secured according to HIPAA standards.
In addition, the Google Voice user must get a signed business associate agreement (BAA) with Google before the service can be used in conjunction with personal health information.
What is a BAA?
Simply put, a BAA is a legal document between a healthcare provider and a contractor. A provider enters into a BAA with a contractor or other vendor when that vendor might have access to PHI. If you’re entrusting PHI to a third party — like Google Voice — then a BAA is required by law.
The HIPAA Privacy Rule summary states that, “when a covered entity uses a contractor or other non-workforce member to perform ‘business associate’ services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement.”
So is Google Voice HIPAA compliant?
When Google Voice was offered as a free service only, it wasn’t covered under Google’s BAA. The Google platforms that offer BAAs are G Suite, Google Apps, and Google Cloud. Because Google Voice wasn’t part of any of those, it wasn’t a HIPAA-compliant service.
However, Google Voice recently became available as a core service under G Suite and is available to all G Suite customers through an additional license. Because G Suite is covered under Google’s BAA, that means that Google Voice is now HIPAA compliant and can be used by healthcare providers to communicate with patients and colleagues.
When using Google Voice in a professional capacity, administrators should obtain Google Voice licenses for users who handle PHI. And when used within a Google Hangouts meeting, users should set calendar entries that contain PHI to private. In addition, admins should set external Calendar settings to “Only free/busy information” and internal Calendar sharing options to “No sharing” or “Only free/busy information.”
The bottom line? Google Voice — like other HIPAA-compliant software — is a great way for healthcare providers to implement telehealth and communicate with their patients and colleagues. Because it’s HIPAA compliant, you can rest assured that all PHI is protected and that your communication is safe and secure, which helps you build trust with your patients now and in the future.