Google Meet is an advanced VoIP and videoconferencing service that can be used by healthcare providers to provide telehealth services, remote consultations, and virtual patient visits. But is Google Meet HIPAA compliant?
Google Meet is rapidly becoming the go-to videoconferencing service for organizations in all industries due to its integrations with other productivity tools in the Google Workspace Suite. However, if the service is used by healthcare providers to communicate Protected Health Information, certain measures must be put in place to make Google Meet HIPAA compliant.
First of all, before Google Meet is used to collect, share, or transmit Protected Health Information, a healthcare provider must subscribe to a Business Google Workspace or Cloud Identity account and sign Google´s Business Associate Addendum. The Addendum provides information about which of Google´s services can be used in compliance with HIPAA and what the customers´ obligations are.
The BAA Alone Does Not Make Google Meet HIPAA Compliant
However, signing the Business Associate Addendum does not – by itself – make Google Meet HIPAA compliant. System administrators have to configure the service to support compliance – for example, by making Meet the default videoconferencing service in the organization to prevent workstations prompting calls via Hangouts, which is not HIPAA compliant when used in video mode.
It may also be necessary to make all Google Meet invites private in order to mask any PHI mentioned in the invites (i.e., patients´ names) and to control access to recordings of Meet videos, which are saved to Google Drive by default. It will certainly be necessary to develop policies on how to use Google Meet in compliance with HIPAA and train members of the workforce on the policies.
To help healthcare providers and their Business Associates use Google Meet in compliance with HIPAA, Google recently updated its Workspace and Cloud Identity Implementation Guide. The Guide not only provides advice on how to make Google Meet HIPAA compliant, but also all the services in the Workspace and Cloud identity services covered by the Business Associate Addendum.
Why HIPAA Compliance Matters in Telehealth
It has been claimed that healthcare professionals often mistakenly believe that communicating ePHI via any communication channel is in compliance with HIPAA when the communication is directly between a healthcare professional and a patient. This is not true, and there are many examples of unencrypted communications being intercepted or accessed impermissibly.
Consequently, it is important that Covered Entities and Business Associates implement a secure and HIPAA compliant solution such as Google Meet when providing telehealth services. However, it is equally important that the solution is configured to comply with the Technical Safeguards of the Security Rule, that only authorized users have access to the solution, and that system of monitoring Google Meet communications is implemented to prevent accidental or malicious breaches of ePHI.