Is Google Voice HIPAA Compliant?

Can healthcare organizations and its employees use Google Voice? Is it HIPAA compliant? Google Voice is a telephony service that provides voicemail and voicemail transcription to text. It can be used for sending text messages for free as well. With its useful features, many healthcare professionals would like to use it not just for work but for personal purposes.

If a service will be used in any way with protected health information (PHI), it must first be HIPAA compliant. To be HIPAA compliant, the service must be covered by the conduit exemption rule or it must implement controls and safeguards to satisfy the HIPAA Security Rule. Google Voice is not categorized as a conduit just like SMS, fax and email services. So let’s see if it satisfies the requirements of the HIPAA Security Rule.

Here is the list of requirements to be HIPAA compliant:

  • There must be access and authentication control, audit controls, integrity controls and message transmission security.
  • The stored data on Google’s servers must be safeguarded following the standards of HIPAA
  • The service must first sign a business associate agreement (BAA) as a satisfactory assurance – The question is will Google sign a BAA? Google is willing to sign a BAA for G Suite, but not for free consumer services because these services were intended for the personal use of consumers.

Google Voice is a free consumer service and it is not part of G Suite, Google Cloud or Google Apps. Hence, Google Voice is not HIPAA compliant. It could be if Google releases Google Voice for businesses and signs a BAA. Until such time that these requirements are met, using Google Voice in conjunction with any protected health information is a violation of HIPAA Rules.