The Google services formerly known as Google Hangouts are HIPAA compliant for creating, receiving, transmitting, and sharing Protected Health Information when they are used as Google Chat and Google Meet within a Google Workspace account that supports HIPAA compliance and the HIPAA Covered Entity or Business Associate agrees to Google’s Business Associate Addendum before any Protected Health Information is disclosed through the services.
Google Hangouts launched in 2013 as a cross-platform messaging service that supported chat, voice, and video communications. The service evolved through multiple product changes. In 2017, Hangouts was divided into Hangouts Chat and Hangouts Meet. In 2020, Hangouts Chat and Hangouts Meet were rebranded as Google Chat and Google Meet when G Suite was rebranded as Google Workspace. Google Chat and Google Meet remain available at no cost for personal Google customers.
Use of Google Chat and Google Meet by HIPAA-regulated organizations depends on whether Protected Health Information is involved. Organizations with a Google Workspace subscription can use Google Chat and Google Meet without additional HIPAA steps when the services are not used to create, collect, store, or transmit Protected Health Information. When Protected Health Information is used or disclosed through Google Chat or Google Meet, an Enterprise Google Workspace subscription is required and the organization is required to agree to Google’s Business Associate Addendum.
The Business Associate Addendum and the related Terms of Service place compliance obligations on HIPAA-covered customers. Obligations include using Google Workspace services with included functionality in compliance with HIPAA, taking reasonable precautions to prevent unauthorized access to any Google Workspace service, and reporting unauthorized use to Google.
Google provides a HIPAA Implementation Guide to support configuration of Google Chat and Google Meet for regulated use. The guide includes configuration recommendations for controlling the visibility of shared files and folders stored in Google Drive and for implementing Data Loss Prevention in Google Chat to reduce the risk of files being shared in a manner that violates organizational policy.
Operational compliance also depends on workforce practices. Training is required so workforce members understand when communications can involve Protected Health Information and how to use Google Chat and Google Meet within organizational policies and procedures. Training content can vary based on how the services are used, including whether workforce members communicate with patients through Google Chat when a patient requests confidential communications or whether the organization provides telehealth services through Google Meet. Organizations that are uncertain about their obligations under the Terms of Service and the Business Associate Addendum, or that need assistance with configuration and training, can obtain professional compliance guidance before permitting Protected Health Information on these services.