Google Calendar HIPAA Compliant: Security Features
When determining if Google Calendar is HIPAA compliant, the first step is to conduct a risk analysis. A risk analysis identifies any potential risks that arise when using Google Calendar in conjunction with electronic protected health information (ePHI). If there are risks identified by conducting a risk analysis, before using Google Calendar with PHI, risks must be addressed with remediation efforts.
It is also essential to implement audit and access controls within the platform before using Google Calendar for scheduling patient appointments.
◈ Access controls. As part of HIPAA requirements, access to PHI must be limited to only those that need access to perform a specific job function. As such, access controls must be implemented to ensure adherence to this standard. Access controls designate different levels of access to PHI to employees based on their job function. Google Calendar enables access controls; however, the feature must be activated.
◈ Audit logs. To ensure that access to PHI is in accordance with HIPAA standards, it is important to track access to PHI with audit logs. Audit logs keep a detailed account of who accesses PHI, what information they access, and how long they accessed it for.
Google Calendar HIPAA Compliant: Business Associate Agreement
Business associate agreements (BAAs) are legal documents that dictate the safeguards business associates are required to have in place to secure the PHI they receive, transmit, store, or maintain on your behalf. BAAs must be signed with all of your business associates before you share PHI with them. Google is willing to sign a BAA with users of their paid service, but not for users with their free service.
Google’s BAA covers:
◈ G Suite (including Google Calendar)
◈ Google Drive
◈ Chat messaging feature of Google Hangouts
◈ Hangouts Meet
◈ Google Keep
◈ Google Cloud Search
◈ Google Sites
◈ Google Vault services
Is Google Calendar HIPAA Compliant?
Yes, provided that Google Calendar is properly used, access controls are enabled, and you have a signed business associate agreement, Google Calendar is HIPAA compliant. However, since Google is only willing to sign a business associate agreement for users with paid accounts, the free version of Google Calendar is NOT HIPAA compliant.