The HIPAA Guide - Celebrating Over 15 Years Online

Is Google Voice HIPAA Compliant?

October 25, 2024HIPAA Advice Articles0

Google Voice is HIPAA compliant provided the service is used as an add-on to a HIPAA-enabled Workspace account, licenses are assigned to managed users, and the Google Voice account is configured to prevent impermissible disclosures of Protected Health Information to non-compliant services.  

Google Voice is a versatile voice and text communication service that enables subscribers to use the same number across multiple devices. Subscribers can choose which devices they receive calls and messages on, connect the service to Google Calendar to set when they are available, and access the service via Gmail to read transcriptions of voicemail messages.

In the healthcare industry, Google Voice can be a valuable service for workforce members who switch between environments served by a combination of landline and mobile phones. The service can also be configured to forward calls to an alternate number, to the next available number, or to a group of numbers when a workforce member is unavailable.

However, when using the service to create, receive, store, or transmit Protected Health Information (PHI), it is necessary to make Google Voice HIPAA compliant. This involves subscribing to a HIPAA enabled Google Workspace account, purchasing and assigning Google Voice licenses to managed users, configuring the service to support HIPAA compliance, and training managed users how to use Google Voice in compliance with HIPAA.

What is a HIPAA Enabled Google Workspace Account?

A HIPAA enabled Google Workspace account is a business Workspace account in which services with “covered functionality” can be used under Google’s Business Associate Addendum. There are a number of business Workspace accounts that meet this criteria, and HIPAA covered entities should conduct a HIPAA risk assessment to identify the most suitable.

Google’s Business Associate Addendum is a standard HIPAA Business Associate Agreement explaining both parties’ HIPAA responsibilities. Account administrators must agree to the terms of the Addendum before PHI is disclosed to any Google Workspace service. Google will not enter into subscribers’ Business Associate Agreements, nor amend its own Addendum.

It is important to note that although Google Voice is listed as a “covered service”, it is not included in any Google Workspace plan. Google Voice has to be purchased as an add-on to a Google Workspace plan in order to be covered by the Google Business Associate Addendum. It is not possible to subscribe to the service separately and be HIPAA compliant because of the way in which Google Voice integrates with other Google services.

Google provides a range of support articles on “Setting up Voice for Your Organization” which includes a guide to ensuring the network supports voice traffic, an explanation of how to purchase and assign Google Voice licenses through the Admin console, and how to migrate existing unmanaged users to managed users. This final stage may be necessary if members of the workforce already subscribe to a personal or non-covered service.

Making Google Voice HIPAA Compliant

The process for making Google Voice HIPAA compliant depends on whether the organization has an existing HIPAA enabled Google Workspace account that is configured to support HIPAA compliance, and whether all members of the workforce will have access to the service. If the organization does not yet have a HIPAA enabled Google Workspace account, it is recommended to follow the advice in Google’s HIPAA Implementation Guide.

The significance of who has access to Google Voice is that an organization may have a hundred workforce members who use the HIPAA enabled Google Workspace account, but it only needs to support HIPAA compliance for twenty “managed” Google Voice users. In this case, it will be necessary to create a separate organization unit (via the Admin portal) and enable Google Voice for the twenty workforce members in the newly created organizational unit.

With regards to specifically making Google Voice HIPAA compliant, it will be necessary to configure the service so that call forwarding is limited to Google Voice numbers within the organizational unit. It will also be necessary to disable the export capability, Google Assistant, Siri (on iOS devices), and Gemini AI (unless Gemini for Google Workspace has been purchased as a Workspace add-on and is configured to support HIPAA compliance).

It is also recommended to disable the option to purchase add-ons from the Google Marketplace or download third party apps. While some Marketplace add-ons and third party apps can enhance Google Voice and other Google Workspace services, many are not HIPAA compliant and could undermine the organization’s efforts to comply with HIPAA. According to a Google blog post, it is estimated a third of all data breaches are attributable to unsanctioned apps.

What HIPAA Training is Required for Google Voice?

Most members of the workforce will intuitively understand how Google Voice works because it is similar in operation to other voice and messaging apps (i.e., WhatsApp). Any operational training that may be necessary will relate to how workforce members can control when Google Voice works (i.e., by connecting it to Google Calendar) or access the service via Gmail to make phone calls, send texts, and read transcriptions of voicemail messages.

With regards to HIPAA training, it may be necessary to remind users of the HIPAA telephone rules, the minimum necessary standard, and the right of patients to opt in or out of specific communication types. It may also be necessary to remind users of the desktop app to conduct voice calls in privacy, to verify the identity of the patient(s) they are talking to, and to comply with FCC guidelines relating to the frequency and duration of telephone calls.

Healthcare organizations that require more information about making Google Voice HIPAA compliant are advised to speak with sales or review the content of the Google Voice Help pages. Healthcare organizations that require more information about conducting a HIPAA risk assessment or providing HIPAA training to members of the workforce are advised to speak with an independent compliance professional.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.