Google Calendar & HIPAA Compliant

Google Calendar was released in 2006 and is part of Google’s G Suite of products and services. Google Calendar could possibly be implemented for scheduling appointments, which may require protected health information to be entered.Uploading any protected health information to the cloud is not allowable as per the HIPAA Privacy Rule unless certain HIPAA requirements have first been met.

A risk analysis must be completed to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and brought down to an acceptable level. Access controls must be adapted to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to stop unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare groups covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor prior to any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has necessary security controls in place to safeguard data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance depends on whether Google is willing to enter into a business associate agreement with HIPAA-covered groups and their business associates.

Google’s Business Associate Agreement

Google will sign a business associate agreement with healthcare groups for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging service in Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered groups be complete a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be implemented, although it is the responsibility of the covered entity to ensure that the services are used in a fashion compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.


About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.