Is Google Voice HIPAA Compliant?

Google Voice is a widely-used and intuitive speech communication platform that includes voicemail, voicemail transcription to text, the functionality to share text messages free of charge, and many other useful things. It is therefore no shock that many healthcare workers would like to use the service at work, as well as for personal use.

For the service to be implemented in healthcare along with any protected health information (PHI) it must be possible to use it in a HIPAA compliant manner.

This means the service must be included in the conduit exemption rule – which was passed when the HIPAA Omnibus Final Rule became active – or it must incorporate a variety of controls and security measures to meet the requirements of the HIPAA Security Rule.

As is the case with SMS, faxing and email, Google Voice is not referred to as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would fulfil the obligations of the HIPAA Security Rule.

There must be access and authentication controls, audit controls, integrity controls and transmission security in operation for messages broadcast through the service. Google would also need to guarantee that any data held on its servers are safeguarded to the standards required for HIPAA. HIPAA-covered bodies would also need to be given satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be implemented along with any protected health information, the covered body must sign a BAA with Google.

Google is keen to help healthcare groups using its services, and is happy to sign a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not advise companies use its free consumer services for business use, as they have been created with consumers’ personal use in mind.

Google Voice is a consumer service and is not part of G Suite, Google Apps, or Google Cloud and neither is it included in a BAA.

Google Voice cannot be referred to as HIPAA compliant and this will remain to be the case until such time as that Google releases a version of Google Voice for companies, and will incorporate it in its business associate agreement, it should not be used by healthcare groups or healthcare workers in a professional capacity.

Implementing Google Voice with any protected health information would currently be breaking HIPAA Regulations.