Is Google Voice HIPAA Compliant?

Google Voice is a telephony service from Google used by people as a call forwarding and messaging service, among other functions. Many are asking the question of whether Google Voice is HIPAA compliant or not – can it be used by healthcare employees in compliance with HIPAA rules?

Is Google Voice HIPAA compliant?

Google Voice provides services such as voicemail, voicemail to text conversion, a free text messaging feature, and a number of other useful functions. As a result, many healthcare professionals would like to use it during their work.

For this to be possible, there must be a way to configure the tool for it to be HIPAA compliant – before it can be used to treat or deal with any protected health information (PHI).

A tool like Google Voice has two potential options for it to be considered as HIPAA compliant – it can be covered by the conduit exemption rule (which was introduced with the HIPAA Omnibus Final Rule) or features can be added to protect the information as stipulated by the HIPAA security Rule.

Like SMS messages, faxes, and emails, Google Voice cannot be classed as a conduit. It must therefore be brought in line to conform with the HIPAA Security Rule.

This would require developing settings to secure access, record logs, enable audits, protect data integrity, and safeguard data transmission. Any information saved to Google servers would also need to be sufficiently secured for it to be HIPAA compliant. Further, Google would need to sign business associate agreements (BAAs) with covered entities to commit to observing HIPAA standards.

A signed BAA with Google would be required before Google Voice could be used with PHI.

Is Google Willing to Sign BAAs for Google Voice?

Google already enters into BAAs with covered entities to allow them to use G Suite, another of its services. However, this is only for paying customers. Google has recommended that their free services not be used for professional purposes as they were developed solely with personal use in mind.

Google Voice is a separate software to G Suite, Google Apps, and Google Cloud, and it is not referred to in BAAs relating to any of these services.

To conclude, is Google Voice HIPAA compliant? The short answer is “no”. The slightly longer answer is “no, not until a professional version is introduced that will be backed up by Google through a signed BAA”. For now, Google Voice is not HIPAA compliant, cannot be used with PHI, and should not be used for professional purposes by healthcare employees.