Is Google Hangouts HIPAA Compliant: Security Features
When determining whether or not software is HIPAA compliant, you must consider the security features offered by the product. As HIPAA requires you to maintain the confidentiality, integrity, and availability of protected health information (PHI), the security features must enable you to do so.
Are Google Hangouts’ security features adequate to secure PHI? In fact, is Google Hangouts secure? Yes, hangouts is secure, but you must configure the platform to enable the features.
Google instructs,
“Hangouts Chat provides several options for Admins to control sharing PHI. Hangouts Chat can be enabled or disabled for everyone in the domain or selectively enabled for specific organizations. To enable the service for specific organizations, Admins can select the ‘ON for some organizations’ option which displays the Org Units to search and select. Note that cross domain and external communication is not supported in Hangouts Chat.”
They also recommend when adding multiple users to a chat, to create a new room, as new members can view previous chat history. In addition, PHI should not be contained in the name of the room.
Is Google Hangouts HIPAA Compliant: Business Associate Agreements
Even if a software provider has all of the required security features in place, if they are unwilling to sign a business associate agreement (BAA), they are not HIPAA compliant. Google is willing to sign a BAA, however, their BAA does not extend to all of their products. Google states on their website that their BAA covers the following products:
Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Meet, Google Voice (managed users only), Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.
For more information on G Suite products and HIPAA, please click here.
Is Google Hangouts HIPAA Compliant?
Yes, Google Hangouts is HIPAA compliant. However, since Google’s BAA only covers the Google Hangouts chat feature, other features (video, audio) cannot be used in conjunction with PHI. For video or audio, healthcare organizations can use Hangouts Meet for HIPAA compliant communications.