Google Voice is HIPAA compliant only when used as Google Voice for Workspace under a business Google Workspace or Cloud Identity plan with a signed Business Associate Addendum with Google, and when the organization configures and manages the service to comply with the HIPAA Privacy Rule and HIPAA Security Rule, and the free consumer version of Google Voice must not be used for protected health information.
Google qualifies as a Business Associate when Google Voice is used to create, receive, maintain, or transmit protected health information on behalf of a HIPAA Covered Entity. The HIPAA Covered Entity must obtain satisfactory assurances that protected health information will be safeguarded, and those assurances are documented in a business associate agreement. Google provides those assurances through a standard Business Associate Addendum for healthcare organizations subscribing to an eligible business account, and the terms of the addendum define the scope of covered services and responsibilities.
Google Voice for Workspace is covered by the Business Associate Addendum for eligible customers when the service is used within the covered business account. The free consumer version should not be used by healthcare organizations or workforce members for professional communications involving protected health information because it lacks the controls required to support compliance and Google will not enter into a Business Associate Addendum for that version.
HIPAA compliant use depends on configuration and internal governance by the HIPAA Covered Entity. Google Voice should be configured to apply access and authentication controls, audit controls, integrity controls, and transmission security for communications containing protected health information, including voicemail and voicemail transcription when those features are used with protected health information. Administrative controls include assigning the service to managed users and training users on approved workflows to prevent disclosures to personal accounts or noncovered services.
Google Voice is not treated as a conduit under HIPAA because the conduit concept applies to services with only transient access to protected health information, while cloud communications can have persistent access when copies of information are stored on vendor systems. Organizations should document service selection, configuration settings, and user restrictions in their HIPAA Security Rule compliance documentation.