Is Google Hangouts HIPAA compliant?

Goole Hangouts is a video chat, instant messaging, and voice call service offered by Google but is it compliant with the Health Insurance Portability and Accountability Act, more commonly referred to as HIPAA, and can it be used by companies that are considered HIPAA-covered entities?

What is Google Hangout?

Google Hangouts was first released mainly as a video chat platform in 2013 and has evolved through integrating and adding other services over the past number of years, such as the Google+ Messenger known as Huddle. Google Hangouts is being placed at the heart of Google’s options for enterprises ad organizations as Google have stated that they will be further developing the product to meet the needs of corporate and business users. This will be done by dividing user groups between two iterations of the service; Hangouts Chat and Hangouts Meet. Plans have been revealed that signal that Google will phase out some earlier versions of Hangouts while moving corporate clients and enterprise G Suite subscribers to the revamped and updated Hangouts services.

What does Google’s BAA cover?

Essential to the ability for HIPAA-covered entities to use a service in compliance with the Act is the establishment of a suitable Business Associate Agreement (BAA). Google will enter into BAAs with companies for their G Suite service which includes a number of Googe services, such as:

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

Google Hangouts, as we can see, is included in this list. Notably absent are some powerful Google services such as Google Groups, Google Contacts, and Google+. As a result, none of these tools can be used by HIPAA-covered entities to store, share, edit or otherwise deal with protected health information (PHI). Other examples of Google services which are not present in this list include perhaps their most well-known services: YouTube and Google Photos.

Once a BAA is in place between Google and the HIPAA-covered entity covering certain aspects of Google Hangouts, the first hurdle to HIPAA compliance is cleared. However, this does not mean that all usage of Hangouts is now HIPAA compliant. The BAA offered by Google typically only covers the instant messaging platform and does not include the voice chat function, the video chat feature, or the SMS messaging element.

Other aspects to consider

Essential to the correct use of Google Hangouts in line with HIPAA Rules are the policies and procedures put in place by the HIPAA-covered entity. Of course, these policies and procedures can only be useful if the employees that make use of Google Hangouts with PHI are aware of them and are well-versed in how they work. A robust training program is therefore crucial to success.

As with many elements of HIPAA, the human factor can be a source of risk for covered entities. Violations may occur accidentally, maliciously, or merely unconsciously through lack of knowledge. As well as this, username and password combinations can be cracked or laptops and mobile devices can be stolen, potentially exposing PHI to unauthorized parties. HIPAA-covered entities must ensure they have contingencies in place to deal with such potential occurrences.