Is Google Hangouts HIPAA Compliant?


Healthcare organizations often ask about the HIPAA compliance of Google services. One Google product that particularly caused some misunderstandings is Google Hangouts. Can healthcare professionals use Google Hangouts to send and receive protected health information (PHI)? Is it HIPAA Compliant?

Google Hangouts is Google’s video chat system that took the place of Huddle or Google+ Messenger. It is a communication platform that is cloud-based and incorporates four various elements including VOIP, Video chat, SMS and instant messaging.

When Google signs a business associate agreement (BAA) with an entity to use G Suite, the agreement does not cover all Google services. Only the following Google services are covered by the BAA: Gmail, Google Drive (Google Docs, Google Slides, Google Sheets, and Google Forms), Calendar, Apps Script, Keep, Jamboard, Sites, Google Cloud, Vault (If applicable), Search, Google Hangouts (Chat messaging) and Hangouts Meet.

The following Google services are not covered by the BAA: Google Contacts, Google Groups and Google+. These cannot be used together with PHI. Google tells users to deactivate the non-core services in regards to G suite – for instance YouTube, Google Photos and Blogger.

Certain components of Google Hangouts are considered HIPAA compliant and HIPAA covered entities can use them without breaking HIPAA Rules, as long as the entity has entered into a BAA with Google before using the services with PHI.

But, even if a BAA is signed, covered entities must be careful because not all components of Google Hangouts are HIPAA compliant. The BAA does not cover video chat, SMS and VOIP so these must not be used.

To make the use of Google Hangouts HIPAA compliant, healthcare organizations must refer to the user guide released by Google.

The HIPAA compliance of Google Hangouts Depends on Users

If using Google Hangouts in an organization, it is essential to have policies and procedures that deal with the allowable uses of Google Hangouts with regards to PHI. Employees should have training on the proper usage of the platform. They should know which elements of Google Hangouts they can use and cannot use. If your organization needs to use video chat, you should find an alternative HIPAA-compliant platform.

Simply getting Google to sign a BAA does not guarantee HIPAA compliance. How the Google product is configured and used should also be checked for compliance.

Remember to Employ More Safety measures for Mobile Devices

HIPAA-covered entities could possibly violate the HIPAA Rules when using Google Hangouts on mobile gadgets. Google has exceptional security controls that notify users when their Google account was potentially accessed by an unauthorized person. These controls must be set up so that unauthorized access attempts are detected instantly. Controls must likewise be applied on mobile devices to protect the devices in case of theft or loss.

There should access controls on the device implemented to keep the device including any ePHI stored on it, from unauthorized access. Policies and procedures must be created that require reporting of lost and stolen devices promptly so that action can be taken to protect accounts. It is additionally preferred to have controls that track or remotely lock devices that are lost or stolen.