Is Google Meet HIPAA Compliant?
In today’s virtual environment, it is important to be mindful and understand privacy settings and requirements when communicating with other employees, other businesses, and clients.
For those in the medical field, bound by the Health Insurance Portability and Accountability Act, more commonly referred to as HIPAA, it is absolutely critical.
In today's article I'll explain whether or not you can use Google Meet for video conferencing and telehealth appointments while maintaining HIPAA compliance, and I'll explain what settings you need to pay attention to in order to maintain your compliance.
Let's get right to the main reason you're here:
Google Meet as a Medical Provider?
Yes, professionals who must follow HIPAA regulations, such as medical and healthcare providers, can use Google Meet to communicate with clients, patients, and to discuss personal health information. You will have to do a little bit of fine-tuning to your settings to be fully HIPAA compliant with Google Meet, and we'll discuss that in this article.
Google Meet Setup for HIPAA
In order to use Google Meet and meet all HIPAA required protocols to protect private information under HIPAA, you must start by having a Business Associate Addendum (BAA) signed between yourself as the user and Google. Without this signed agreement on file, you are not able to use Google’s products and services with protected health information.
A big part of using Google Workspace, Google Meet, or other Google products and services for those who must follow HIPAA regulations is organizing your stored data and setting up meetings and calls.
In order to use Google Meet in your workplace, you should first make it the default video meetup option. You can do this in the Meet Settings menu of your administrator console. This is important because without setting Meet as your default, your computer will prompt calls via Google Hangouts, which is not HIPAA compliant when used in the video mode. In the administrator mode, you can also allow meeting owners to record their Google Meets.
Related: Google Meet Guide for Beginners
Meet follows higher security standards, such as randomizing meeting identifiers and dial-in details. To be HIPAA compliant, you can make the Google Meet invite private. This will mask any potential PHI in the invite, which is sent to the invitees Google Calendar. The administrator can also make Google Meet invites display as “busy” time on a calendar rather than including detailed information publicly about the meeting.
It is important to note that the responsibility for making sure that all required paperwork is signed and that information is stored correctly falls on the user. As the professional responsible for meeting HIPAA requirements, you should make sure that you are using Google’s tools appropriately and correctly.
HIPAA and Google Products
As more healthcare providers and individuals look at telemedicine to use online platforms to communicate about healthcare needs, many wonder if Google products can be used to keep information and communication private and secure. Fortunately, HIPAA and Google products, such as Google Meet, can work well together if some key security features are in place.
It is important to understand what kind of information is protected under HIPAA and the required steps that healthcare providers and organizations must make sure that they are in compliance with this important law.
The two main sections of HIPAA include the HIPAA Privacy Rule and the HIPAA Security Rule. It is the responsibility of the healthcare professional to keep information private and secure, which is especially critical when using online tools such as Google Meet.
Protected Health Information, PHI, refers to the type of medical information that is covered under HIPAA. When discussing or storing PHI digitally, it is often called electronic PHI, e-PHI. According to HIPAA, the four main parts of the HIPAA Security Rule that those using online platforms must follow are:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce
In order to use Google Meet, your workplace must be taking appropriate security measures to protect PHI in both stored documents and communication.
What Counts as Protected Health Information under HIPAA?
Protected Health Information, PHI, is not specific to Google Meet, Google Workspace, or any other online platform. PHI refers to the healthcare information that professionals must keep private and secure whether they are using it electronically or discussing it in the office.
While the list of covered PHI is long, many of the common types of documents and information include:
- Patient claims
- Patient inquiries
- Referral authorization requests
- Patient’s past, present, or future medical condition
- Payment information
- Identifying patient information
HIPAA is not meant to restrict communication among a team of healthcare providers or between a provider and patient. Rather, the regulations are designed to keep communication and other information private and secure.
Related: Teleconferencing Etiquette
Those professionals who need access to the information to provide top quality care to a patient, including diagnosis, treatment, and administrative support such as billing, can have access to PHI under HIPAA.
Google allows healthcare providers and professionals to use a variety of Google interfaces that are HIPAA compliant. This can improve the quality and efficiency of patient care, especially in situations where telemedicine is a good option for treatment and follow-up care. These include:
- Drive (including Google Docs, Sheets, Slides, and Forms)
- Hangouts Chat Messaging feature
- Hangouts Meet
- Cloud Search
- Google Voice (in some cases)
- Cloud Identity Management
Your IT department has to follow Google’s security protocols to make sure that all protected health information is secure when using Google’s products and any other cloud-based services. As a reminder, your organization must first have a BAA on file with Google.
Protected health information cannot be used or stored in Google Contacts or Google+. These products are not HIPAA compliant. Users with access to PHI can still use them but must be careful not to copy PHI over from another source where it is allowed to be stored.
There are a few third-party applications that must be disabled in order to have PHI stored within the system. These include YouTube, Blogger, and Google Photos among others. It is possible to have another BAA with these applications that will allow PHI to be stored there. But it is separate from the BAA with Google for its Google Workspace products.
Who Has Access to PHI in Google?
The organization’s administrator can restrict which users have access to PHI, even if it is allowed within the organization and they have a BAA signed and on file with Google.
The administrator can also monitor activity from its users, including suspicious activity or unauthorized sharing of PHI.
It is important to establish and follow periodic reviews to make sure that all PHI is appropriately protected and monitored within your workplace. Google’s administrator function makes it easy to do this using Google Workplace’s tools.
HIPAA Compliant Google Meet
Once you have the appropriate security measures in place for your Google Workspace, you can use Google Meet to communicate within your organization and with patients to provide healthcare and remain in compliance with all HIPAA regulations.
If you'd like help setting up Google Meet for your office or would like to speak with us about Google's full cloud-based productivity and collaboration suite, contact us. As a Google Cloud Premium Partner, Suitebriar's team of certified experts are ready to help you leverage the power of the cloud at your business.