Is Google Chat HIPAA Compliant?
Google Chat is HIPAA compliant when it is used as part of a Google Workspace plan that includes the necessary controls to protect the confidentiality, integrity, and availability of Protected Health Information (PHI) used and disclosed via this communication channel. To make Google Chat HIPAA compliant, it is also necessary to agree to Google’s Business Associate Addendum to the Workspace Terms of Service.
Google Chat is an intuitive messaging and team communication service that can be integrated with other services in the Google Workspace suite or third party workflow apps to enhance collaboration and workplace efficiency. Google Chat can also be used to communicate with external contacts subject to the permissions granted by system administrators and the controls put in place to prevent data loss.
For organizations subject to the Health Insurance Portability and Accountability Act (HIPAA), these controls are necessary to support HIPAA compliance and prevent impermissible disclosures of PHI. In addition, any HIPAA compliant service used to create, collect, store, or transmit PHI must have safeguards in place to prevent unauthorized access to PHI, monitor user activity, and remove users’ access rights when they leave the organization.
Is Google Chat HIPAA Compliant?
As a standalone service – or used with a personal Gmail account – Google Chat is not HIPAA compliant. This is because the controls necessary to protect the confidentiality, integrity, and availability of PHI are only available in a Google Workspace account. As a result, organizations subject to HIPAA must subscribe to a Workspace account in order to access the controls required to make Google Chat HIPAA compliant.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Thereafter, the controls have to be configured to comply with the implementation specifications of the Security Rule’s Technical Safeguards. Google provides assistance with the compliant configuration of Workspace services in its HIPAA Implementation Guide. However concerns have been raised in relation to the instruction in the Guide not to store PHI in Google Contacts – the directory used to store names and contact details for the Google Chat service.
The concerns are attributable to a misunderstanding of what is considered PHI under HIPAA. Name and contact details stored in a database that does not contain an individual’s health, treatment, or payment information is not Protected Health Information. It is perfectly okay to use Google Contacts as the directory for any Workspace service, provided no health, treatment, or payment information is stored with the contact information in the Notes box.
An Example of how NOT to use Google Contacts
Signing the Google Business Associate Addendum
Before an organization subject to HIPAA discloses PHI to a software vendor, the organization and vendor must enter into a Business Associate Agreement that defines both parties’ compliance obligations and covers the requirements of §164.314(a) and §164.504(e). However, because Google provides a standard service for thousands of covered customers, the company does not enter into individual Agreements. Instead, it requires organizations subject to HIPAA to agree to its Business Associate Addendum to the Workspace Terms of Service.
For organizations familiar with Business Associate Agreements, Google’s Business Associate Addendum is easy to understand and does not contain any unreasonable conditions. The Addendum must be signed by an account holder with super administrator privileges via the Admin console, who must also answer three questions at the end of the signing process to confirm the organization is a HIPAA covered entity or business associate.
Prior to agreeing to Google’s Business Associate Addendum, it is advisable to review the Workspace Terms of Service. This document contains several customer obligations that – if overlooked and not complied with – could lead to suspension of the service and loss of access to PHI stored in the service. As this would be a failure by the organization to maintain the availability of PHI, a loss of access to PHI would be a notifiable violation of HIPAA.
Workforce Training is Also Recommended
Training members of the workforce to use Google Chat in compliance with HIPAA is not a requirement of HIPAA. However, due to the similarities between Google Chat and other instant messaging services that members of the workforce may use to communicate with family members and friends, it is recommended a session on the compliant use of Google Chat is integrated into the organization’s security awareness HIPAA training program.
