Share this article on:
Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules?
Is Google Voice HIPAA Compliant?
Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use.
In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way.
That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule.
As with SMS, faxing, and email, Google Voice is not classed as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to satisfy the requirements of the HIPAA Security Rule.
There would need to be access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through the service. Google would also need to ensure that any data stored on its servers are safeguarded to the standards demanded by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).
Therefore, before Google Voice could be used in conjunction with any protected health information, the covered entity must obtain a BAA from Google.
Will Google Sign A BAA for Google Voice?
Google is keen to encourage healthcare organizations to adopt its services, and is happy to sign a business associate agreement for G Suite. While the BAA did not initially cover Google Voice, that has now changed. Google Voice for G Suite is covered by the BAA and can be considered a HIPAA compliant service.
Google does not include its free, consumer service in that agreement and that will not change. Google does not recommend businesses use its free consumer services for business use, as they have been developed specifically for consumers for personal use.
So is Google Voice HIPAA compliant? The paid-for version of Google Voice for G Suite can be considered a HIPAA compliant service and can be used by healthcare organizations in connection with PHI without violating HIPAA. The free consumer version is different and should not be used by healthcare organizations or healthcare employees in a professional capacity in connection with PHI. Doing so would be in violation of HIPAA.