Is Google Chat HIPAA Compliant?

Is Google Chat HIPAA compliant? HIPAAguide.net

Google Chat is HIPAA compliant when the messaging service is utilized as part of a Workspace account that has been configured to support HIPAA compliance and when the services is covered by a Business Associate Addendum to the Workspace Terms of Service.

Why the Plan is Important

Google Chat can be used as a standalone application or as part of a Google Workspace subscription. As a standalone application or as part of a free plan, Google Chat is not HIPAA compliant because Google will not enter into a Business Associate Addendum with non-paying customers.

If an organization subscribes to a Business or Enterprise Workspace plan, an Addendum is automatically entered into by both parties โ€“ although Google recommends reviewing and accepting the Addendum before using any covered service to create, receive, store, or transmit PHI.

The decision about which Workspace plan to subscribe to may depend on how many employees are going to use Google Workspace services and how Google Chat is going to be used. If more than 300 employees are going to use Google Workspace services, there is no option but to opt for the Enterprise plan.

The Enterprise plan includes client-side encryption for protecting Google Chat notification emails from unauthorized access. It may be important for healthcare providers with fewer than 300 employees to consider this option if using Google Chat to collaborate with external partners.

Making Google Chat HIPAA Compliant

Once subscribed to a Business or Enterprise Workspace Plan, system administrators can take advantage of Googleโ€™s HIPAA Implementation Guide to configure services covered by the Addendum to be HIPAA compliant. To make Google Chat HIPAA compliant, the Guide recommends:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist
  • Disabling all users by domain (unless required for other Workspace services).
  • Limiting authorized employees to Organizational Units (or Chat groups).
  • Whitelisting trusted external participants and blocking all others.
  • Manage what information can be shared externally.
  • Restrict link sharing when external sharing is turned on.
  • Select the appropriate visibility level for each Organizational Unit.
  • Set up Data Loss Prevention Rules (Enterprise subscriptions only).
  • Disable the option to allow third party apps and integrations.

It is important to be aware these are only recommendations. Google Chat will continue to be HIPAA compliant if (for example) link sharing is not restricted when external sharing is turned on โ€“ although the failure to restrict links from external participants could increase the risk of a malware attack.

Training Employees to Use Google Chat Compliantly

Googleโ€™s HIPAA Implementation Guide offers little advice on how employees should be trained to use Google Chat compliantly โ€“ mentioning only that PHI should not be used in the names of files, folders, or shared Drives, or used when naming a room in Spaces (the area of Chat in which files are shared).

Therefore it is advisable to integrate training on how to use Google Chat compliantly into HIPAA awareness training. Although not all members of the workforce may be using Google Chat, many messaging and collaboration best practices for Google Chat apply to other online communications.

Additionally, if your organization has only just started using Google Chat, user logs should initially be monitored regularly. This is because many users familiar with other types of messaging services may be unfamiliar with the restrictions applied to make Google Chat HIPAA compliant and may attempt to circumnavigate them in order to “get the job done”.

Finally, configuring Google Chat to be HIPAA compliant and training members of the workforce to use the service in compliance with HIPAA requires a certain amount of technical knowledge. If your organization does not have adequate resources to make Google Chat HIPAA compliant or provide sufficient training, it is recommended you seek professional compliance help.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/