Google Voice is not HIPAA compliant by default, and it can be used in a HIPAA-regulated context only when it is deployed under a business account arrangement that includes a signed Business Associate Agreement and the service is configured and managed to meet HIPAA Security Rule and HIPAA Privacy Rule requirements.
HIPAA Compliance Standard
HIPAA compliance depends on whether a HIPAA Covered Entity or Business Associate can apply required administrative, physical, and technical safeguards to electronic protected health information and can limit uses and disclosures to permitted purposes. A communication tool becomes part of a HIPAA compliance scope when it creates, receives, maintains, or transmits protected health information, including voicemail content, call recordings, message content, call history, transcripts, contact details tied to care, and identifiers linked to a patient’s condition or treatment.
Consumer Use and Free Accounts
Google Voice offered as a consumer service does not provide a HIPAA compliance framework for covered healthcare communications because it is not intended to operate under a HIPAA Business Associate Agreement for protected health information use. Using a consumer deployment for patient communications can create impermissible disclosure risk and can leave an organization without the contractual assurances and controls required for a vendor that handles protected health information.
Business Deployment and Business Associate Agreement Requirements
A HIPAA-regulated organization can consider Google Voice only in a business deployment where Google contractually agrees to Business Associate obligations through a Business Associate Agreement that covers the applicable services used to handle protected health information. A signed Business Associate Agreement is a baseline requirement for any vendor service that stores or transmits protected health information on behalf of a HIPAA Covered Entity or Business Associate.