Google Hangouts & HIPAA Compliant

Healthcare groups often inquire about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the most recent incarnation of the Hangouts video chat system, and has replaced Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that includes four different elements: Video chat, SMS, VOIP, and an instant messaging service.Google will complete a business associate agreement for G Suite, which presently includes the following Google core services

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

The Business Associate Agreement does not include Google Groups, Google Contacts, and Google+, none of which can be used in tandem with protected health information. Google also advises users to turn off the use of non-core services in relation to G suite – for example YouTube, ​Blogger ​and Google ​Photos.

So, certain parts of Google Hangouts are HIPAA compliant and can be used by HIPAA covered entities without breaching HIPAA Rules, provided that prior to the use of the services with PHI, the covered entity has completed a business associate agreement with Google.

However, even with a BAA in place, not all aspects of Google Hangouts are HIPAA compliant, so covered entities must be careful. Video chat for instance, is not included in the BAA so cannot be used, and neither the SMS and VOIP options.

To assist in making Google Hangouts HIPAA compliant, Google has published a guide for healthcare organizations.

Users Instrumental in Making Google Hangouts HIPAA Compliant

If you opt to allow the use of Google Hangouts in your ogroup, it important to understand the allowable uses of Google Hangouts with respect to PHI through policies and procedures. Employees must be trained on the correct use of the platform, and instructed which elements of Google Hangouts can be used and which are forbidden. If video chat is important for your group, you should seek a HIPAA-compliant alternative service.

Simply obtaining a BAA from Google is no guarantee of HIPAA compliance – that will depend on how Google services are configured and how they are implemented.

Remember to Implement Additional Safeguards for Mobile Devices

One area where HIPAA-covered entities could possibly HIPAA Rules is the use of Google Hangouts on mobile devices. Google does have very good security controls that can alert users to potential unauthorized access of their Google account. These should be configured to ensure inappropriate access attempts are discovered rapidly. Controls should also be implemented on mobile devices to ensure that the devices are secured in case of loss or theft.

Access controls on the device should be applied to stop the device, and any ePHI stored on it, from being easily accessed. Policies and processes should also be developed to ensure lost and stolen devices are reported quickly, and actions taken to secure accounts. It is also recommended to switch on controls that allow lost and stolen devices to be located, locked, and remotely erased.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.