Note: Google Hangouts was retired in November 2022. The instant messaging capabilities of the service were replaced by Google Chat, and the video chat and VoIP capabilities were replaced by Google Meet. You can read about these changes in the following articles:
Healthcare providers often question whether Google services are HIPAA compliant, including whether Google Hangouts is HIPAA compliant. Can Google Hangouts be used by healthcare providers to send and receive protected health information (PHI)?
Google Hangouts is a cloud-based platform for communication that features four components: SMS, Video chat, VOIP, and an instant messaging service. Google Hangouts evolved from the Hangouts video chat system, and has replaced Huddle (Google+ Messenger).
Google is prepared to sign a business associate agreement (BAA) for G Suite, which presently covers Google’s core services – Gmail, Calendar, Google Drive (which includes Google Docs, Google Sheets, Google Forms and Google Slides), Apps Script, Google Keep, Google Sites, Jamboard, Google Cloud Search, Vault (if applicable), Google Hangouts (which is chat messaging) and Hangouts Meet. The BAA does not cover Google +, Google Groups and Google Contacts and those services can therefore not be used with PHI. Google additionally recommends users deactivate the use of non-core G suite products, namely Blogger, YouTube and Google Photos.
Therefore, selected elements of Google Hangouts are compliant with HIPAA Rules and may be used by HIPAA covered entities without breaking HIPAA Rules, so long as the covered entity enters into a BAA with Google before using the services with PHI. Nonetheless, even with a signed BAA, not all aspects of Google Hangouts are HIPAA compliant, thus covered entities need to be cautious. The BAA does not cover video chat, SMS and VOIP so those should never be used with PHI. To be sure that Google Hangouts is used without violating the HIPAA, refer to the guide for healthcare providers released by Google.
If your organization chooses to allow employees to use Google Hangouts, you should make it clear in your policies and procedures how the service can be used with respect to PHI. Employees must undergo training on the proper use of the Google Hangouts. If your organization can’t do without video chat, it is recommended to find an alternative platform that is HIPAA-compliant.
When using Google Hangouts on mobile devices, HIPAA-covered entities need to understand the limitations of the platform. Controls must be implemented to ensure that devices are secured, and in the event that mobile devices are lost or stolen, PHI is never exposed.