HIPAA Compliance & Google Voice

Google Voice is a widely-used and intuitive telephony service that incorporates voicemail, voicemail transcription to text, the functionality to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for private use.

For the service to be used in healthcare along with any protected health information (PHI) it must be possible to use it in a HIPAA compliant fashion.

That means the service must be included in the conduit exemption rule – which was brought in when the HIPAA Omnibus Final Rule became active – or it must include a range of controls and security measures to meet the requirements of the HIPAA Security Rule.

As with SMS, faxing and email, Google Voice is not classified as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to meet the requirements of the HIPAA Security Rule.

There must be, included, access and authentication controls, audit controls, integrity controls, and transmission security for messages broadcast via the service. Google would also need to guarantee that any data stored on its servers are safeguarded to the standards necessary for HIPAA. HIPAA-covered bodies would also need to receive satisfactory assurances that is the case, in the guise of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be used along with any protected health information, the covered body must complete a BAA with Google.

Google is keen to assist healthcare groups implementing its services, and is happy to complete a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not recommend companies use its free consumer services for business use, as they have been developed with consumers’ personal use in mind.

Google Voice is a consumer service and is not part of G Suite, Google Apps, or Google Cloud and neither is it referred to in its BAA.

So can Google Voice be deemed HIPAA compliant? The answer is No. This will remain to be the case until such point that Google releases a version of Google Voice for businesses, and will incorporate it in its business associate agreement, it should not be deployed by healthcare groups or healthcare workers in a professional capacity.

Using Google Voice with any protected health information would currently be deemed a breach of HIPAA Rules.