The HIPAA Guide - Celebrating Over 15 Years Online

Is Google Meet HIPAA Compliant?

March 20, 2023HIPAA Advice Articles0

Is Google Meet HIPAA Compliant?

Google Meet is HIPAA compliant for meetings between healthcare professionals and for providing telehealth services to patients subject to safeguards being implemented to ensure the service is configured and used correctly. It is also necessary to enter into a Business Associate Addendum with Google to ensure the use of Google Meet is HIPAA compliant.

Google Meet is a video communication service similar to Zoom and Skype that can be used as a standalone application or integrated with other tools in the Google Workspace productivity suite. Because of its ease of use, Google Meet is a popular choice among healthcare professionals for conducting remote consultations, virtual patient visits, and other telehealth services.

With regards to the question is Google Meet HIPAA compliant, the answer is no software is HIPAA compliant. Although Google Meet’s capabilities can support HIPAA compliance, compliance depends on how the service is configured and used; and – if the service is going to be used to collect, receive, maintain, or transmit PHI – whether Google is willing to sign a Business Associate Agreement.

There are Several Google Meet Options

Google Meet can be used as a standalone application or as part of the Google Workspace productivity suite. However, only organizations that subscribe to the Google Workspace Enterprise Plan have access to administrative controls that can make the use of Google Meet HIPAA compliant – such as separating organizational units and applying different permissions that support HIPAA compliance to each unit.

In some smaller organizations, the separation of organizational units may not be a priority, However, this would mean disabling some services for all users and configuring settings so that every user had the minimum necessary use of the service. Depending on the purpose(s) for deploying Google Meet, limiting all services could impact organizational efficiency and productivity.

The Enterprise Plan also includes several features that can simplify user monitoring and PHI management. For example, File Exposure Reports can advise system administrators when files are shared with external domain users so safeguards can be implemented that prevent PHI being inadvertently disclosed to unauthorized third parties.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

User Behavior is an Important Consideration

User behavior is an important consideration because users have to take care not to disclose more than the minimum necessary PHI during Meet calls, be careful not to share PHI on screen with unauthorized third parties, and ensure both they and the other participants in the call use Google Meet in a private area where they cannot be overheard or their screens overlooked.

Good user behavior comes naturally for some healthcare professionals, but for others it can be a struggle due to an eagerness to be helpful. Training on how to use Google Meet compliantly can contribute towards improving user behavior, but it may also be necessary to send periodic security reminders – an implementation specification in the security training standard (§164.308).

A BAA Alone does Not Make Google Meet HIPAA Compliant

Google is willing to enter into a Business Associate Agreement with Covered Entities that subscribe to a Google Workspace Enterprise Plan. However, rather than signing Covered Entities’ Agreements, Google requires Covered Entities to sign its own Business Associate Addendum. This is due to the scale of services offered by Google and the need to provide services consistently.

Additionally, Google states that entering into a Business Associate Addendum does not make Google Meet HIPAA compliant. In the Google Workspace HIPAA Implementation Guide, Google notes:

“Customers are responsible for determining if they are a Business Associate (and whether a HIPAA Business Associate Agreement with Google is required) and for ensuring that they use Google services in compliance with HIPAA. Customers are responsible for fulfilling an individual’s right of access, amendment, and accounting in accordance with the requirements under HIPAA”.

If you are in any doubt about whether Google Meet is an appropriate video communication service for your organization, whether it can be configured to comply with your HIPAA policies, and whether members of the workforce will use Google Meet compliantly, it is possible to take advantage of a fourteen-day free trial of the service. We recommend during the free trial that the service is tested with de-identified PHI to prevent inadvertent violations of the Privacy Rule.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement