Is Google Calendar HIPAA Compliant?


Google Calendar is one of the products and services offered in Google’s G Suite, which was launched in 2006. It is a tool that is used for time management and scheduling of appointments. Will the use of this tool by healthcare organizations, which may require adding protected health information (PHI), be considered a HIPAA rules violation?

Using a cloud service in connection with PHI is not allowed by the HIPAA Privacy Rules unless certain requirements are satisfied. First, the service must be subjected to a risk analysis to check if there are potential risks to the integrity, confidentiality and availability of electronic PHI. Identified risks must be lowered to an acceptable level. Controls to access data must be in place so that sensitive information are only viewable to authorized persons and there will be no unauthorized disclosures. An audit trail is also necessary for monitoring data access. Second, healthcare organizations must enter into a business associate agreement (BAA) with the service provider, in this Google, before using the service and sharing ePHI. This is a must even if Google does not access any customer or user data.

Google Calendar has all the controls required by HIPAA. It has security controls, access controls and audit controls that can be configured to ensure PHI safety. Google is also ready to sign a BAA for the paid services, not the free services, that healthcare organizations would like to use. Google’s BAAs cover G Suite, which includes Google Drive, Google Calendar, Google Hangouts, Google Keep, Hangouts Meet, Google Cloud Search, Jamboard, Google Sites and Google Vault services.

After Google signs the BAA for any of the services mentioned above, the service can be used with ePHI. Although, the covered entity carries the responsibility  to  make sure that the configuration of services are correct and it is used with compliance to the HIPAA Rules. Even if Google provides a HIPAA-compliant product or service, healthcare organizations and employees could possibly misuse it and violate HIPAA Rules.

In summary, Google Calendar is a HIPAA-compliant time management and appointment scheduling tool if there is a BAA that covers the use of the service and the service is configured appropriately that prevent the misuse or disclosure of PHI.