Is Google Voice HIPAA Compliant?
Google Voice is HIPAA compliant and can be used to collect, store, or share PHI provided the service is used as part of a business Workspace or Cloud Identity plan and a Business Associate Addendum is signed with Google. The free consumer version of the service should not be used to collect or share PHI as this version lacks the controls to support HIPAA compliance.
Is Google Voice HIPAA Compliant?
Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. Due to its capabilities, it is unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use.
In order for any service to be used in healthcare to collect, store, or share protected health information (PHI), it must include several capabilities that can be configured to support HIPAA compliance. There would need to be access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through the service.
In the context of answering the question is Google Voice HIPAA compliant, Google would also need to ensure that any data stored on its servers are safeguarded to the standards demanded by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Will Google Sign a BAA for Google Voice?
Google is keen to encourage healthcare organizations to adopt its services, and offers a standard Business Associate Addendum to its service agreement for all healthcare organizations subscribing to a business Workspace account. (Note: While the BAA did not initially cover Google Voice when it was part of G Suite, that has now changed. Google Voice for Workspace is covered by the BAA and – in this respect – can be considered a HIPAA compliant service.)
Google does not include its free, consumer service in that agreement and that will not change. Google does not recommend businesses use its free consumer services for business use, as they have been developed for consumers for personal use.
So is Google Voice HIPAA compliant? The paid-for version of Google Voice for Workspace can be considered a HIPAA compliant service and can be used by healthcare organizations in connection with PHI without violating HIPAA. The free consumer version is different and should not be used by healthcare organizations or healthcare employees in a professional capacity in connection with PHI. Doing so would be in violation of HIPAA.
FAQs
What is Google Voice?
Google Voice is a Voice over Internet Protocol (VoIP) telephone service that is part of the Workspace suite of productivity and communication tools. The service allows users to send and receive phone calls and text messages either via a virtual number or the user’s ported number. The service supports voicemail, call transcripts, and multi-person calling for collaboration and team meetings.
What does it mean for a service to be HIPAA compliant?
What it means for a service to be HIPAA compliant is that the service has the controls to support HIPAA compliance and the vendor has to be willing to enter into a Business Associate Agreement. No software is HIPAA compliant “off the shelf”. The software has to be configured and users trained how to use the software in compliance with internal policies and the HIPAA Privacy Rule.
Is Google Voice considered a conduit under HIPAA rules?
Google Voice is not considered a conduit under HIPAA rules because the conduit exception applies to services that have “transient access” to PHI (i.e., the U.S. postal service, Fed-Ex, UPS, etc.). Google Voice and most other software services have “persistent access” to PHI because copies of PHI can be stored on the vendors’ servers – which disqualifies them from the transient access exception.
What are some of the capabilities Google Voice would need to have to be HIPAA compliant?
The capabilities Google Voice would need to have to be HIPAA compliant include access and authentication controls, audit controls, integrity controls, and transmission security. These capabilities are not available on the free version of Google Workspace and covered entities and business associates must subscribe to a business plan before using Google Voice to transmit PHI.
Do covered entities need a Business Associate Agreement (BAA) with Google to use Google Voice in compliance with HIPAA?
Yes. Covered entities need a Business Associate Agreement (BAA) with Google to use Google Voice in compliance with HIPAA. The Google BAA is a standard service agreement addendum for all covered entities and is entered into automatically when a healthcare organization subscribes to a Google Workspace business account. Covered entities are advised to review the BAA before subscribing to a Google Workspace business account to ensure they agree to the terms of the Addendum.
Can the free, personal consumer version of Google Voice be used by healthcare organizations in a HIPAA compliant way?
The free, personal consumer version of Google Voice cannot be used by healthcare organizations in a HIPAA compliant way because the free version of the software lacks the capabilities to support compliance with the Security Rule. Google will not enter into a Business Associate Agreement with an organization using the free version of its software.
