Is Google Hangouts HIPAA Compliant?

Google Hangouts is one among many apps, social media tools, and messaging services that healthcare professionals want to use to share protected health information (PHI). Is Google Hangouts HIPAA compliant and can it be used to share PHI?

Is Google Hangouts HIPAA Compliant?

Healthcare organizations use a range of Google services every day. Google Hangouts, which evolved from the Hangouts video chat program and Huddle, the Google+ messenger, is another Google service that could be used to share PHI but it is confusing as to whether it is HIPAA compliant or not. Existing as a cloud based platform, Google Hangouts includes video chat, SMS, Voice Over Internet Protocol (VOIP), and instant messaging features.

Many Google services are included with the business associate agreement (BAA) for G Suite, as listed below:

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

Notably absent from the BAA are Google Groups, Google Contacts, and Google+. These programs cannot be used to treat, share, or store PHI. Google recommends that G Suite services such as YouTube, Blogger, and Google Photos be disabled.

As we can see above, the chat messaging feature of Google Hangouts can be used by covered entities in compliance with HIPAA Rules, but only if a BAA is in place between Google and the covered entity before any PHI is input on the tool.

The other features, unfortunately, are not covered by the BAA, so entities should be careful not to use these with PHI.

Google has published guides to assist healthcare organizations in using Google Hangouts in compliance with HIPAA.

HIPAA Compliance for Google Hangouts is User Dependent

If your organization accepts the use of Google Hangouts, policies should be put in place to clearly show what is allowed and not allowed under HIPAA. Employees should be trained in these policies and how to use the tool, especially which features they are prohibited to use. Should your organization require the use of video chat, Google Hangouts would not suit your needs.

To repeat something we often mention, BAAs don’t guarantee HIPAA compliance. Important aspects to consider are the settings put in place and how people make use of the tool.

Remember to Use Extra Protections for Mobile Devices

Mobile devices represent a huge potential for HIPAA violations, particularly with Google Hangouts. Google’s strong account protections should be enabled to quickly raise the alarm in case the account is accessed without authorization. Mobile devices should also use features that guarantee the protection of any PHI stored or accessible on them should they be lost or stolen. A robust access control system could accomplish this.

Covered entities should implement policies to require that any misplaced or stolen device be quickly reported so that accounts and information can be protected. It is also strongly advisable to use features that can remotely lock, locate, or wipe the device.