- Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
- Apps Script
- Google Cloud Search
- Vault (If applicable)
- Google Hangouts (Chat messaging)
- Hangouts Meet
The Business Associate Agreement does not include Google Groups, Google Contacts, and Google+, none of which can be used in tandem with protected health information. Google also advises users to turn off the use of non-core services in relation to G suite – for example YouTube, Blogger and Google Photos.
So, certain parts of Google Hangouts are HIPAA compliant and can be used by HIPAA covered entities without breaching HIPAA Rules, provided that prior to the use of the services with PHI, the covered entity has completed a business associate agreement with Google.
However, even with a BAA in place, not all aspects of Google Hangouts are HIPAA compliant, so covered entities must be careful. Video chat for instance, is not included in the BAA so cannot be used, and neither the SMS and VOIP options.
To assist in making Google Hangouts HIPAA compliant, Google has published a guide for healthcare organizations.
Users Instrumental in Making Google Hangouts HIPAA Compliant
If you opt to allow the use of Google Hangouts in your ogroup, it important to understand the allowable uses of Google Hangouts with respect to PHI through policies and procedures. Employees must be trained on the correct use of the platform, and instructed which elements of Google Hangouts can be used and which are forbidden. If video chat is important for your group, you should seek a HIPAA-compliant alternative service.
Simply obtaining a BAA from Google is no guarantee of HIPAA compliance – that will depend on how Google services are configured and how they are implemented.
Remember to Implement Additional Safeguards for Mobile Devices
One area where HIPAA-covered entities could possibly HIPAA Rules is the use of Google Hangouts on mobile devices. Google does have very good security controls that can alert users to potential unauthorized access of their Google account. These should be configured to ensure inappropriate access attempts are discovered rapidly. Controls should also be implemented on mobile devices to ensure that the devices are secured in case of loss or theft.
Access controls on the device should be applied to stop the device, and any ePHI stored on it, from being easily accessed. Policies and processes should also be developed to ensure lost and stolen devices are reported quickly, and actions taken to secure accounts. It is also recommended to switch on controls that allow lost and stolen devices to be located, locked, and remotely erased.