Google Meet, a popular videoconferencing service, is a versatile option that has gained traction across various industries. However, when it comes to healthcare, this question arises: Is Google Meet HIPAA-compliant?
Let’s explore the conditions under which Google Meet can be considered HIPAA-compliant and why meeting these conditions is important.
Table of Contents
The Importance of HIPAA Compliance in Telehealth
HIPAA compliance is crucial in telehealth and healthcare communications because it safeguards patients’ sensitive health information. Contrary to common misconceptions, communicating electronic PHI (ePHI) directly between healthcare professionals and patients doesn’t automatically guarantee compliance. Unencrypted or improperly secured communications channels can lead to ePHI breaches. Therefore, adopting a secure teleconferencing solution is essential.
However, merely adopting HIPAA-compliant technology won’t suffice. Communications software and tools must employ robust security protocols and privacy practices. Also, it’s a necessity for healthcare teleconferencing solutions to implement technical safeguards as indicated in the HIPAA Security Rule.
Now, what about Google Meet? Does it meet the necessary security and privacy requirements for healthcare teleconferencing?
Is Google Meet HIPAA-Compliant?
Yes, Google Meet can be considered HIPAA-compliant, provided it meets the specific requirements to handle protected health information (PHI).
Here are the key requirements:
Sign a Business Associate Addendum (BAA)
Before using Google Meet for healthcare purposes, healthcare providers must subscribe to a Business Google Workspace or Cloud Identity account and sign Google’s Business Associate Addendum (BAA). This agreement outlines the responsibilities of both parties and specifies which Google services can be used in compliance with HIPAA.
Configure Google Meet for HIPAA compliance
Signing the BAA is not enough to achieve HIPAA compliance. System administrators must configure Google Meet to support compliance. For instance, Meet should be set as the default videoconferencing service to prevent non-compliant use of Hangouts. Also, additional steps may be needed to ensure privacy, such as making invites private to hide any PHI.
Implement access controls and conduct training
Healthcare organizations should implement policies on how to use Google Meet in compliance with HIPAA. This includes training staff members on the organization’s security protocols and ensuring only authorized users can access the platform. Monitoring all Google Meet activities and communications is necessary to minimize the risk of PHI breaches.
Risks in Using Google Meet for Healthcare
Compliance risks associated with using Google Meet include potential Admin misconfigurations that may inadvertently expose PHI to unauthorized individuals, users sharing screens containing PHI with unauthorized parties, and the inadvertent disclosure of more PHI than required. To mitigate these risks, follow these practices:
- Admins should be knowledgeable in the correct settings to use.
- Users must receive training to avoid sharing screens during non-private Meet sessions and disclosing more PHI than necessary.
- Ensure that all Meet sessions do not include PHI in their titles.
Best Practices for Google Meet Compliance with HIPAA
Ensuring HIPAA compliance while utilizing Google Meet for telehealth and secure communication involves following best practices that align with the Health Insurance Portability and Accountability Act (HIPAA).
Here are key recommendations to optimize your use of Google Meet for HIPAA compliance:
Record meetings securely
Recording Meet meetings is not a HIPAA violation if the recordings are stored in a Google Drive account covered by the Google Workspace BAA and configured to comply with HIPAA. However, it’s essential to note that only Google Workspace Enterprise accounts support compliant recording. Avoid recording Meet meetings using third-party apps or free Google accounts. Failure to do so could result in a breach of HIPAA regulations.
Review Google’s BAA
Examine Google’s Business Associate Addendum (BAA) on your Admin Console carefully. You should only accept the BAA if you are willing to comply and adhere to the terms and conditions written in the agreement.
Ensure compliance of third-party apps
It’s essential to recognize that the Google Workspace BAA does not cover third-party applications since Google lacks control over the security settings of such applications.
If your organization intends to use third-party apps within the Google Workspace BAA framework, your organization should establish a separate BAA with the application vendor. Moreover, know that only the apps listed in Google’s HIPAA Included Functionality are covered by the BAA.
It does not cover additional Google services like YouTube and Blogger. You can read more about this on HIPAA Compliance with Google Workspace and Cloud Identity.
Avoid using Google Meet’s free version
It’s important to note that the free version of Google Meet lacks the safeguards necessary to comply with the HIPAA Security Rule. Google also does not offer a BAA for free versions of its services. Consequently, therapists and other healthcare professionals should refrain from using the free version for telehealth consultations.
Google Meet HIPAA Compliance: How to Know if It’s Right for You
To determine if Google Meet is the suitable HIPAA-compliant videoconferencing service for your organization, consider the following steps:
- Avail of the 14-day trial period on Google Workspace to test run the service and become familiar with the settings.
- Identify possible challenges with compliance before using Google Meet with PHI.
- Test and compare other HIPAA-compliant teleconferencing services.
By adhering to these best practices, your organization can achieve Google Meet compliance with HIPAA, ensuring the secure handling of sensitive healthcare data.