Google Meet is HIPAA compliant for meetings between healthcare professionals and for providing telehealth services to patients subject to safeguards being implemented to ensure the service is configured and used correctly. It is also necessary to enter into a Business Associate Addendum with Google to ensure the use of Google Meet is HIPAA compliant.
Google Meet is a video communication service similar to Zoom and Skype that can be used as a standalone application or integrated with other tools in the Google Workspace productivity suite. Because of its ease of use, Google Meet is a popular choice among healthcare professionals for conducting remote consultations, virtual patient visits, and other telehealth services.
With regards to the question is Google Meet HIPAA compliant, the answer is no software is HIPAA compliant. Although Google Meet’s capabilities can support HIPAA compliance, compliance depends on how the service is configured and used; and – if the service is going to be used to collect, receive, maintain, or transmit PHI – whether Google is willing to sign a Business Associate Agreement.
There are Several Google Meet Options
As mentioned previously, Google Meet can be used as a standalone application or as part of the Google Workspace productivity suite. However, only organizations that subscribe to the Google Workspace Enterprise Plan have access to administrative controls such as separating organizational units and applying different permissions to each unit that support HIPAA compliance.
In some smaller organizations, the separation of organizational units may not be a priority, However, this would mean disabling some services for all users and configuring settings so that every user had the minimum necessary use of the service. Depending on the purpose(s) for deploying Google Meet, limiting all services could impact organizational efficiency and productivity.
The Enterprise Plan also includes several features that can simplify user monitoring and PHI management. For example, File Exposure Reports can advise system administrators when files are shared with external domain users so safeguards can be implemented that prevent PHI being inadvertently disclosed to unauthorized third parties.
User Behavior is an Important Consideration
User behavior is an important consideration because users have to take care not to disclose more than the minimum necessary PHI during Meet calls, be careful not to share PHI on screen with unauthorized third parties, and ensure both they and the other participants in the call use Google Meet in a private area where they cannot be overheard or their screens overlooked.
Good user behavior comes naturally for some healthcare professionals, but for others it can be a struggle due to an eagerness to be helpful. Training on how to use Google Meet compliantly can contribute towards improving user behavior, but it may also be necessary to send periodic security reminders – an implementation specification in the security training standard (§164.308).
A BAA Alone does Not Make Google Meet HIPAA Compliant
Google is willing to enter into a Business Associate Agreement with Covered Entities that subscribe to a Google Workspace Enterprise Plan. However, rather than signing Covered Entities’ Agreements, Google requires Covered Entities to sign its own Business Associate Addendum. This is due to the scale of services offered by Google and the need to provide services consistently.
Additionally, Google states that entering into a Business Associate Addendum does not make Google Meet HIPAA compliant. In the Google Workspace HIPAA Implementation Guide, Google notes:
“Customers are responsible for determining if they are a Business Associate (and whether a HIPAA Business Associate Agreement with Google is required) and for ensuring that they use Google services in compliance with HIPAA. Customers are responsible for fulfilling an individual’s right of access, amendment, and accounting in accordance with the requirements under HIPAA”.
If you are in any doubt about whether Google Meet is an appropriate video communication service for your organization, whether it can be configured to comply with your HIPAA policies, and whether members of the workforce will use Google Meet compliantly, it is possible to take advantage of a fourteen-day free trial of the service. We recommend during the free trial that the service is tested with de-identified PHI to prevent inadvertent violations of the Privacy Rule.