Is Google Meet HIPAA Compliant?
Google Meet is HIPAA compliant and can be used for creating, receiving, or transmitting electronic PHI provided the service is used as part of a Google Workspace Business Plan with features that support HIPAA compliance and that provides a Business Associate Addendum. Thereafter, it is important the service is configured to be used in compliance with HIPAA and that workforce members are trained on how to use Google Meet compliantly.
Google Meet is an advanced VoIP and videoconferencing service that can be used by healthcare providers to provide telehealth services, remote consultations, and virtual patient visits. It is rapidly becoming the go-to videoconferencing service for organizations in all industries due to its integrations with other productivity tools in the Google Workspace Suite. However, if the service is used by healthcare providers to communicate Protected Health Information, certain measures must be put in place to make Google Meet HIPAA compliant.
First of all, before Google Meet is used to collect, share, or transmit Protected Health Information, a healthcare provider must subscribe to a Google Workspace Business Plan or Cloud Identity account and agree to Google´s Business Associate Addendum. The Addendum provides information about which of Google´s services can be used in compliance with HIPAA and what the customers´ obligations are.
The BAA Alone Does Not Make Google Meet HIPAA Compliant
However, signing the Business Associate Addendum does not – by itself – make Google Meet HIPAA compliant. System administrators have to configure the service to support compliance – for example, by making Meet the default videoconferencing service in the organization to prevent workstations prompting calls via Hangouts, which is not HIPAA compliant when used in video mode.
Explore Better
Payment Options
For Your Patients
Benefits Include:
• Reduced AR Rates
• Improved Cashflow
• Streamlined Operations
• Increased Patient Satisfaction
You will be contacted by our page sponsor Rectangle Health
Your Privacy Respected
HIPAA Journal Privacy Policy
It may also be necessary to make all Google Meet invites private in order to mask any PHI mentioned in the invites (i.e., patients´ names) and to control access to recordings of Meet videos, which are saved to Google Drive by default. It will certainly be necessary to develop policies on how to use Google Meet in compliance with HIPAA and train members of the workforce on the policies.
To help healthcare providers and their business associates use Google Meet in compliance with HIPAA, Google recently updated its Workspace and Cloud Identity Implementation Guide. The Guide not only provides advice on how to make Google Meet HIPAA compliant, but also all the services cover in Google Workspace and Cloud identity accounts by the Business Associate Addendum.
Why HIPAA Compliance Matters in Telehealth
It has been claimed that healthcare professionals often mistakenly believe that communicating ePHI via any communication channel is in compliance with HIPAA when the communication is directly between a healthcare professional and a patient. This is not true, and there are many examples of unencrypted communications being intercepted or accessed impermissibly.
It is important that covered entities and business associates implement a secure and HIPAA compliant solution such as Google Meet when providing telehealth services. However, it is equally important that the solution is configured to comply with the Technical Safeguards of the Security Rule, that only authorized users have access to the solution, and that a system of monitoring Google Meet communications is implemented to prevent accidental or malicious breaches of ePHI.
Is Google Meet HIPAA Compliant? FAQs
Is recording Meet meetings a violation of HIPAA?
Recording Meet meetings is not a violation of HIPAA if the recordings are stored in a Google Drive account that has been configured to comply with the Security Rule and that is also covered by the Google Workspace BAA. Please note, the facility to record Meet meetings compliantly is only available through Google Workspace Enterprise accounts. Attempting to record a Meet meeting via any other means or any other type of account may result in a HIPAA violation.
How can I review Google’s Business Associate Addendum?
To review Google’s Business Associate Addendum, log into the Google Admin console using an account with super administrator privileges. From the menu in the Admin console, go to Account > Account Settings > Legal and Compliance. Then go to the Security and Privacy Additional terms section and click on Google Workspace HIPAA Business Associate Addendum.
Once you have reviewed the Addendum, you can escape from the page or click on the Review and Accept button if you are ready to accept the Addendum. To finalize the process, Google will ask three questions to confirm your organization is required to comply with HIPAA. When you have answered the questions, click OK to accept the Business Associate Addendum.
Are third party applications covered by the Google Workspace BAA?
Third party applications are not covered by the Google Workspace BAA because Google has no control over the security settings of third party applications. If an organization wishes to use a third party application within a Google Workspace BAA, the organization will have to enter into a separate BAA with the application vendor and take responsibility for configuring the application compliantly.
What are the compliance risks of using Google Meet?
The compliance risks of using Google Meet are that Admin misconfigurations can inadvertently disclose PHI to unauthorized persons, users can share screens containing PHI with unauthorized persons, and users can disclose more PHI than the minimum necessary. To mitigate these risks, it is important Admins are aware of the correct settings to use and that users are trained to avoid sharing screens in non-private Meets and disclosing more than the minimum necessary PHI. It is also a best practice that Meets do not include PHI in their titles.
Can I use the free version of Google Meet for telehealth consultations?
You cannot use the free version of Google Meet for telehealth consultations if you are a HIPAA covered entity because the free version of Google Meet lacks the safeguards to comply with the Security Rule, and because Google will not enter into a Business Associate Addendum for free versions of its services.
Patients can use the free version of Google Meet for telehealth consultations. However, it is best to first obtain each patient’s consent for conducting telehealth consultations via Google Meet. This will not only give you an opportunity to explain to a patient how to enter a Google Meet call, but also to warn them to take the meeting in a private space to avoid the conversation being overheard.
How can I tell if Google Meet is the right HIPAA compliant videoconferencing service for my organization?
The best way to tell if Google Meet is the right HIPAA compliant videoconferencing service for your organization is to register for a Google Workspace free trial (if your organization is not already a Workspace Enterprise customer). This will give you fourteen days to learn how the settings should be configured, enable users to become familiar with using the platform, test run the service, and identify compliance challenges before using Google Meet with “live” PHI.
