Yes, Google Meet can be made HIPAA compliant when a Business Associate Agreement (BAA) is in place. A BAA is a legal contract that outlines the responsibilities and obligations of a service provider (Google) when handling Protected Health Information (PHI) on behalf of a covered entity (healthcare organization). If Google signs a BAA with a healthcare organization, it indicates their commitment to comply with HIPAA regulations and protect patient privacy. Having a BAA in place is not the only factor in achieving HIPAA compliance. Healthcare organizations must also configure and use Google Meet in a manner that adheres to HIPAA security and privacy standards. This might involve implementing additional security measures and following best practices to ensure the protection of patient information during video conferencing sessions.
Due to the expiry of OCR’s enforcement discretion for telehealth remote communications during the COVID-19 public health emergency, it has become more important that Covered Entities know how to use video communication services such as Google Meet in compliance with HIPAA. In April 2020, the Department of Health and Human Service Office for Civil Rights (OCR) announced that, due to the nationwide COVID-19 public health emergency, it would refrain from taking enforcement action against covered health care providers for the lack of a BAA with video communication vendors or other noncompliance with the HIPAA Rules (but not all) that relates to the good faith provision of telehealth services.
The announcement included a list of vendors that indicated they provided HIPAA compliant, non-public facing video communication services such as Skype for Business, Microsoft Teams, Amazon Chime, and Google’s G Suite (now known as Google Workspace). The Notification of Enforcement Discretion went into effect on March 17, 2020, and was to remain in effect until the Secretary of HHS declared the public health emergency no longer existed.
On April 11, it was announced that the COVID-19 public health emergency would not be renewed beyond its current expiry date of May 11. However, rather than terminating all enforcement discretion on May 11, OCR is going to implement a 90-day transition period for telehealth services – giving Covered Entities additional time to use video communication services such as Google Meet in compliance with HIPAA.
How to Use Google Meet in Compliance with HIPAA
The purpose of explaining how to use Google Meet in compliance with HIPAA – rather than any other video communication service – is that Google has produced a HIPAA implementation guide to help Covered Entities configure services in the Workspace suite so that the appropriate safeguards are in place to protect the confidentiality, integrity, and availability of electronic PHI. Most of the safeguards exist in other video communication services – albeit sometimes under a different name.
At this point, it is important to be aware that no software is HIPAA compliant – not even when configured correctly. It is how the software is used that determines HIPAA compliance and therefore Covered Entities need to make sure users are trained on how to use Google Meet so that they do not inadvertently share PHI with unauthorized individuals or disclose more than the minimum necessary PHI when discussing a patient’s case with a healthcare provider.
It may also be important where the software is being used. If, for example, a healthcare provider has a telehealth consultation with a patient from a busy office, it is possible that the consultation will be overheard or the screen overlooked. While most healthcare professionals are aware of what environments telehealth consultations should be conducted in, Covered Entities may have to develop policies to ensure employees use Google Meet in compliance with HIPAA.
Other Requirements to Use Google Meet Compliantly
There are two other requirements to use Google Meet in compliance with HIPAA. The first is that the Covered Entity subscribes to an Enterprise Workspace Plan. This is necessary because other subscription plans do not include the safeguards necessary to protect electronic PHI and monitor user activity. This is not a unique requirement for Google. Other video communication services also require that Covered Entities subscribe to specific level of service to access compliance tools.
The second requirement applies to all software vendors – that a Business Associate Agreement is in place before a third party service is used to transmit electronic PHI. Google will not sign individual Covered Entity’s Business Associate Agreements and insists Covered Entities sign its Business Associate Addendum. This is because Google offers a wide range of services and has to provide a consistent level of service to each customer.
While these requirements may come as a shock to Covered Entities that have been using a less-secure version of Google Meet and/or who have been using Google Meet without a Business Associate Agreement in place, the opportunity exists to take advantage of a 14 day free trial of the Enterprise Plan. This will not only allow Covered Entities to see if Google Meet is the best video communication service for their needs, but also provide an opportunity for healthcare providers to learn how to use Google Meet in compliance with HIPAA before enforcement resumes in August.