Google Chat is HIPAA compliant when the messaging service is utilized as part of a Workspace account that has been configured to support HIPAA compliance and when the services is covered by a Business Associate Addendum to the Workspace Terms of Service.
Why the Plan is Important
Google Chat can be used as a standalone application or as part of a Google Workspace subscription. As a standalone application or as part of a free subscription, Google Chat is not HIPAA compliant because Google will not enter into a Business Associate Addendum with non-paying customers.
If an organization subscribes to a Business or Enterprise Workspace plan, an Addendum is automatically signed by both parties – although Google recommends reviewing and accepting the Addendum before using any covered service to create, receive, store, or transmit PHI.
The decision about which plan to subscribe to may depend on how many employees are going to use Google Workspace services and how Google Chat is going to be used. If more than 300 employees are going to use Google Workspace services, there is no option but to opt for the Enterprise plan.
The Enterprise plan includes client-side encryption for protecting Google Chat notification emails from unauthorized access. It may be important for healthcare providers with fewer than 300 employees to consider this option if using Google Chat to collaborate with external partners.
Making Google Chat HIPAA Compliant
Once subscribed to a Business or Enterprise Workspace Plan, system administrators can take advantage of Google’s HIPAA Implementation Guide to configure services covered by the Addendum to be HIPAA compliant. To make Google Chat HIPAA compliant, the Guide recommends:
- Disabling all users by domain (unless required for other Workspace services).
- Limiting authorized employees to Organizational Units (or Chat groups).
- Whitelisting trusted external participants and blocking all others.
- Manage what information can be shared externally.
- Restrict link sharing when external sharing is turned on.
- Select the appropriate visibility level for each Organizational Unit.
- Set up Data Loss Prevention Rules (Enterprise subscriptions only).
- Disable the option to allow third party apps and integrations.
It is important to be aware these are only recommendations. Google Chat will continue to be HIPAA compliant if (for example) link sharing is not restricted when external sharing is turned on – although the failure to restrict links from external participants could increase the risk of a malware attack.
Training Employees to Use Google Chat Compliantly
Google’s HIPAA Implementation Guide offers little advice on how employees should be trained to use Google Chat compliantly – mentioning only that PHI should not be used in the names of files, folders, or shared Drives, or used when naming a room in Spaces (the area of Chat in which files are shared).
Therefore it is advisable to integrate training on how to use Google Chat compliantly into HIPAA awareness training. Although not all members of the workforce may be using Google Chat, many messaging and collaboration best practices for Google Chat apply to other online communications.
Additionally, if your organization has only just started using Google Chat, user logs should initially be monitored regularly. This is because many users familiar with other types of messaging services may be unfamiliar with the restrictions applied to make Google Chat HIPAA compliant and may attempt to circumnavigate them.
Finally, configuring Google Chat to be HIPAA compliant and training members of the workforce to use the service in compliance with HIPAA requires a certain amount of technical knowledge. If your organization does not have adequate resources to make Google Chat HIPAA compliant or provide sufficient training, it is recommended you seek professional compliance help.