HIPAA Compliance & Google Voice
Google Voice is a widely used and intuitive telephony service that incorporates voicemail, voicemail transcription to text, the functionality to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for private use.
For the service to be used in healthcare along with any protected health information (PHI) it must be possible to use it in a HIPAA compliant fashion.
That means the service must be included in the conduit exemption rule – which was brought in when the HIPAA Omnibus Final Rule became active – or it must include a range of controls and security measures to meet the requirements of the HIPAA Security Rule.
As with SMS, faxing and email, Google Voice is not classified as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to meet the requirements of the HIPAA Security Rule.
There must be, included, access and authentication controls, audit controls, integrity controls, and transmission security for messages broadcast via the service. Google would also need to guarantee that any data stored on its servers are safeguarded to the standards required by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).
Therefore, before Google Voice could be used for transmitting, receiving, or processing any protected health information, it is first necessary to obtain a signed business associate from Google that covers the Google Voice service.
Google provides a range of services for healthcare organizations and does offer a BAA that covers G Suite, but Google does not include its free consumer services in that agreement. Google does not recommend companies use its free consumer services for business use, as they have been developed with consumers’ personal use in mind.
The free-to-use, consumer-focused Google Voice service is not part of G Suite, Google Apps, or Google Cloud so it cannot be used, as Google does not offer a BAA covering any of its consumer services. That does not mean that Google Voice cannot be used by healthcare organizations in connection with PHI.
Google Voice is HIPAA compliant, but only for healthcare organizations that pay for the G Suite for Business service. The paid G Suite for Business service does now include Google Voice, so provided a BAA is obtained for this service, it is perfectly acceptable to use Google Voice with PHI.
As with any “HIPAA-compliant” service or product, it may still be possible to violate HIPAA Rule when using it. Google only ensures that it fulfils its obligations as a business associate. It is the responsibility of each user to ensure that its products and services are used in a manner that complies with the HIPAA Rules.