Google Meet can be used in compliance with HIPAA when it is provided under an eligible Google Workspace Business plan or Cloud Identity account that includes a signed Business Associate Addendum and the service is configured and administered to meet the HIPAA Security Rule requirements for electronic protected health information.
When Google Meet Supports HIPAA Compliance
A HIPAA Covered Entity or Business Associate may use Google Meet to create, receive, maintain, or transmit electronic protected health information when the organization subscribes to a qualifying Google Workspace Business plan or Cloud Identity account and accepts Google’s Business Associate Addendum.
The Business Associate Addendum identifies which Google services are covered and assigns compliance responsibilities between Google and the customer organization.
Business Associate Addendum Limitations
A Business Associate Addendum does not, by itself, make a videoconferencing deployment compliant with HIPAA.
Administrative and technical controls still require configuration, enforcement, and monitoring by the customer organization, including access management, recording restrictions, and controls over storage locations for meeting artifacts.
Configuration And Administrative Controls
Organizations using Google Meet for sessions involving electronic protected health information should configure settings to support the Technical Safeguards of the HIPAA Security Rule.
Controls commonly addressed include authenticated access, meeting access restrictions, host and participant permissions, control of meeting recordings, and governance for files stored in Google Drive when recordings or related content are saved there.
Meeting invitations and meeting metadata can contain protected health information, including patient names and visit details, and should be treated as regulated content under organizational policy.
Recording And Storage Considerations
Recording a Google Meet session is not prohibited by HIPAA when recordings are stored in a Google Drive environment that is covered by the Business Associate Addendum and configured to comply with the HIPAA Security Rule.
Recording capability is not uniformly available across account types, and organizations should verify licensing and administrative controls before permitting recording for sessions involving electronic protected health information.
Use Of Free Consumer Accounts
A HIPAA Covered Entity cannot rely on the free version of Google Meet for telehealth consultations involving electronic protected health information because the free service does not include a Business Associate Addendum and does not provide the administrative features expected for HIPAA Security Rule alignment.
Patients may choose to use consumer services for communications, but workforce communications that involve electronic protected health information remain subject to HIPAA organizational requirements.
Third Party Applications And Integrations
Third party applications used with Google Workspace are not covered by Google’s Business Associate Addendum.
Each vendor that creates, receives, maintains, or transmits electronic protected health information on behalf of a HIPAA Covered Entity or Business Associate requires its own Business Associate Agreement, along with configuration and oversight by the customer organization.