Google Voice is HIPAA compliant when the service is used as part of a Google Workspace Enterprise subscription with the necessary capabilities to support HIPAA compliance and that is supported by a signed Business Associate Agreement. However, it is not possible to use the free version of Google Voice to collect, share, or transmit Protected Health Information (PHI).
When a service is going to be used with protected health information (PHI), it is essential for it to be fully compliant with HIPAA Rules. To become HIPAA compliant, the service should be covered by the conduit exemption rule or it should employ controls and safety measures that meet the requirements of the HIPAA Security Rule. Google Voice isn’t classified as a conduit so the only way that the service could be used in connection with PHI is if Google Voice is covered by Google’s business associate agreement.
The requirements of HIPAA compliance are listed below:
- There should be controls on access and authentication, audit, integrity, and message transmission.
- The stored data files on the servers of Google should be secured to the standards demanded by the HIPAA Security Rule.
- The service provider should first enter into a business associate agreement (BAA). The BAA provides assurances that the service meets HIPAA standards and the service provider is fully aware of its responsibilities under HIPAA.
So for Google Voice to be HIPAA compliant, Google must sign a BAA that covers Google Voice. Will Google do so? Google is ready to sign a BAA for its collection of Workspace products and services. Initially, Google Voice was only a consumer product so was not covered by the BAA. Google will not sign a BAA covering its free consumer services since these services were designed for personal use. That will not change. What has changed, is Google now offers a business version as part of Workspace. Google Voice for Workspace is now covered by the BAA and can therefore be used in connection with PHI.
So, Google Voice for Workspace is a HIPAA compliant service provided a BAA is obtained. The free, consumer version of Google Voice is not HIPAA compliant, and cannot be used in connection with PHI. If the consumer version is used to collect, share, or transmit PHI, it would violate HIPAA Rules.