Share this article on:
Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.
Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.
Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.
A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.
Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.
Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.
Google’s Business Associate Agreement
Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.
HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.
Is Google Calendar HIPAA Compliant?
So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.