Is Google Voice HIPAA Compliant?

Share this article on:

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules?

Is Google Voice HIPAA Compliant?

Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use.

In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way.

That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule.

As with SMS, faxing and email, Google Voice is not classed as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to satisfy the requirements of the HIPAA Security Rule.

There would need to be access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through the service. Google would also need to ensure that any data stored on its servers are safeguarded to the standards demanded by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be used in conjunction with any protected health information, the covered entity must obtain a BAA from Google.

Will Google Sign A BAA for Google Voice?

Google is keen to encourage healthcare organizations to adopt its services, and is happy to sign a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not recommend businesses use its free consumer services for business use, as they have been developed specifically for consumers for personal use.

Google Voice is a consumer product and is not included in G Suite, Google Apps, or Google Cloud and neither is it mentioned in its BAA.

So is Google Voice HIPAA compliant? No. Until such point that Google releases a version of Google Voice for businesses, and will include it in its business associate agreement, it should not be used by healthcare organizations or healthcare employees in a professional capacity.

The use of Google Voice with any protected health information would be a violation of HIPAA Rules.

Author: HIPAA Journal

Share This Post On