Can healthcare providers and their employees utilize Google Voice? Is this telephony service HIPAA compliant? Google Voice is a service that includes voicemail and voicemail transcription to text, and also allows text messages to be delivered free of charge. With its handy functions, a lot of healthcare professionals want to use it at work as well as for personal use.
When a service is going to be used with protected health information (PHI), it is essential for it to be fully compliant with HIPAA Rules. To become HIPAA compliant, the service should be covered by the conduit exemption rule or it should employ controls and safety measures that meet the requirements of the HIPAA Security Rule. Google Voice isn’t classified as a conduit so the only way that the service could be used in connection with PHI is if Google Voice is covered by Google’s business associate agreement.
The requirements of HIPAA compliance are listed below:
- There should be controls on access and authentication, audit, integrity, and message transmission.
- The stored data files on the servers of Google should be secured to the standards demanded by the HIPAA Security Rule.
- The service provider should first enter into a business associate agreement (BAA). The BAA provides assurances that the service meets HIPAA standards and the service provider is fully aware of its responsibilities under HIPAA.
So for Google Voice to be HIPAA compliant, Google must sign a BAA that covers Google Voice. Will Google do so? Google is ready to sign a BAA for its collection of G Suite products and services. Initially, Google Voice was only a consumer product so was not covered by the BAA. Google will not sign a BAA covering its free consumer services since these services were designed for personal use. That will not change. What has changed, is Google now offers a business version as part of G Suite. Google Voice for G Suite is now covered by the BAA and can therefore be used in connection with PHI.
So, Google Voice for G Suite is a HIPAA compliant service provided a BAA is obtained. The free, consumer version of Google Voice is not HIPAA compliant, and cannot be used in connection with PHI. If the consumer version is used, it would violate HIPAA Rules.