Is Google Calendar HIPAA Compliant?
Google Calendar is HIPAA compliant and can be used to enter, receive, store, or share Protected Health Information (PHI) when the time management and calendar scheduling service is used as part of a business Workspace account that is configured to comply with HIPAA and covered by the HIPAA Business Associate Addendum to Google’s Service Agreement.
Google Calendar was launched in 2006 and is now part of Google’s Workspace suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added. Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.
A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.
Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data or cannot read it because it is encrypted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.
Google’s Business Associate Agreement
Google’s Business Associate Agreement is a one-size-fits-all Business Associate Addendum to its Service Agreement. This means that Google will not enter separate Business Associate Agreements with each HIPAA-covered customer, but requires HIPAA-covered customers to agree to its Addendum for services with “covered functionality” (including Google Drive, Google Meet, Google Forms, and Google Calendar).
The Business Associate Addendum is straightforward and outlines Google’s responsibilities, the customer’s responsibilities, and other standard terms of a regular Business Associate Agreement. Covered Entities wishing to use any covered services to create, collect, store, or transmit PHI must first review and accept the Business Associate Addendum before any PHI is disclosed to Google – even encrypted PHI.
Is Google Calendar HIPAA Compliant?
So, is Google Calendar HIPAA compliant? Provided it is used as part of a Workspace account that supports HIPAA compliance and the Business Associate Addendum has been accepted, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.
