Many different medical facilities have expressed a desire to begin using Google Meet for telemedicine. One of their first questions is “is Google Meet HIPAA compliant?”
Yes, professionals who are subject to HIPAA rules, such as doctors and healthcare providers, are permitted to communicate with clients and patients using Google Meet to discuss personal health information.
When communicating with coworkers, partners in other companies, and customers in today’s virtual world, it’s critical to be aware of privacy settings and requirements.
It is crucial for those working in the medical field who are governed by the Health Insurance Portability and Accountability Act, or HIPAA for short.
This article will examine Google Workspace, answer frequently asked questions about Google Meet, and provide a brief comparison of alternative telemedicine and teleconferencing services.
Table of Contents
What is HIPAA?
A federal law was passed in the United States in 1996 called the Health Insurance Portability and Accountability Act (HIPAA) with the intention of defending patients in the medical field. It is a privacy law that safeguards private information, including health-related data. The HIPAA Act forbids organizations from sharing patient information without their knowledge or permission by establishing national standards.
One of the cornerstones of privacy in the US healthcare sector, it is a crucial law.
Any company must be HIPAA compliant to handle patient information, and this includes when using any apps or services. This presented fresh difficulties for healthcare organizations operating during the COVID-19 Pandemic (when telehealth became so crucial). Some people found it difficult to determine which telehealth applications and services could be in compliance with the 1996 HIPAA act.
All American health organizations, as well as foreign businesses doing business here, must comply with HIPAA.
Is Google Meet HIPAA Compliant?
Yes and no are both correct responses. Although Google has made the necessary preparations to ensure that Google Workspace, including Meet, complies with HIPAA regulations, the BAA agreement is not automatically in place. Instead, when a company begins using Workspace for their medical practice, they must sign the contract themselves. After being signed, Google Meet and the other apps in Google Workspace will adhere to HIPAA regulations.
Doing this is easy:
- Head to admin.google.com and log into your Workspace admin account (or create one here if you don’t have one yet)
- Navigate to your profile and click “show more“
- click “Legal and Compliance“
- Find “Security and Privacy Additional Terms“
- Review the information and click to accept “Workspace / Cloud Identity HIPAA Business Associate Agreement“
- There will be a pop-up with questions that you must respond to. Click “Accept” when you’re finished.
Google Workspace has been approved by the BAA and is now HIPAA-compliant, so you’re good to go. That means Google Meet and all other apps you use as part of Google Workspace’s ecosystem will follow privacy laws.
Perhaps the most important thing to remember is that not following the steps above will mean your Workspace account is not compliant with HIPAA, so it’s an important step to take if you handle any sensitive patient files or communication in the tools that come with your License for Google Workspace.
The Google Meet version that is offered in Workspace is another area that could cause confusion. Google Meet for Workspace is actually the same as the version of the app that is freely downloadable without a Workspace account. It is worth noting that the free version of Google Meet is not compliant with HIPAA. In other words, you must sign up and have a paid Workspace account to be HIPAA complaint in Google Meet.
Also Read: Is Zoom HIPPA Compliant 2022?
Google Meet Setup for HIPAA
You must first sign a Business Associate Addendum (BAA) between yourself as the user and Google in order to use Google Meet and adhere to all HIPAA-required protocols to protect private information under HIPAA. You cannot use any Google products or services that involve protected health information unless this signed agreement is on record.
For those who must adhere to HIPAA regulations, organizing your stored data and scheduling meetings and calls are important aspects of using Google Workspace, Google Meet, or other Google products and services.
You must first set Google Meet as the default video meetup option in order to use it at work. In your administrator console’s Meet Settings menu, you can do this. This is crucial since, when using Google Hangouts in video mode, Meet will not be HIPAA compliant if Meet is not set as your default call provider on your computer. You can permit meeting hosts to record their Google Meets in administrator mode as well.
The meeting identifiers and dial-in information are randomly generated as part of Meet’s higher security standards. You can set the Google Meet invite’s privacy setting to comply with HIPAA. Any potential PHI in the invitation will be concealed when it is sent to the invitees’ Google Calendars. The administrator can also make Google Meet invites display as “busy” time on a calendar rather than including detailed information publicly about the meeting.
Note that it is the user’s responsibility to ensure that all necessary paperwork is signed and that information is stored properly. You should be careful how you use Google’s tools because you are the professional in charge of adhering to HIPAA regulations.
HIPAA and Google Products
Many people are interested in whether Google products can be used to keep information and communication private and secure as more healthcare providers and individuals consider telemedicine to use online platforms to discuss healthcare needs. Fortunately, if certain crucial security measures are in place, HIPAA and Google products—such as Google Meet—can coexist successfully.
HIPAA Requirements
Understanding what types of information are protected by HIPAA and the steps that healthcare organizations and providers must take to ensure compliance with this crucial law is important.
The HIPAA Privacy Rule and the HIPAA Security Rule are the two primary parts of HIPAA. When using online tools like Google Meet, it is especially important for healthcare professionals to keep information private and secure.
Medical data that is protected under HIPAA is referred to as PHI, or Protected Health Information. Digital PHI, also known as e-PHI, is frequently used when discussing or storing it. According to HIPAA, the four main parts of the HIPAA Security Rule that those using online platforms must follow are:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce
Google Meet can only be used in settings where appropriate security precautions are being taken to safeguard PHI in both stored documents and communication.
What Counts as Protected Health Information under HIPAA?
PHI, or protected health information, is generally used to refer to any type of personal information. PHI is the term used to describe the medical information that professionals are required to keep confidential and secure, whether they use it electronically or discuss it in person.
While the list of covered PHI is long, many of the common types of documents and information include:
- Patient claims
- Patient inquiries
- Referral authorization requests
- Patient’s past, present, or future medical condition
- Payment information
- Identifying patient information
HIPAA is not intended to obstruct communication between a group of healthcare professionals or between a healthcare provider and a patient. The laws instead aim to protect the security and privacy of communication and other types of information.
PHI under HIPAA is accessible to those professionals who require it to deliver high-quality patient care, including diagnosis, treatment, and administrative support like billing.
Google Security
Google makes a number of HIPAA-compliant Google interfaces available to healthcare providers and other professionals. This can enhance the effectiveness and quality of patient care, particularly when telemedicine is a viable option for treatment and follow-up care. These include:
- Gmail
- Calendar
- Drive (including Google Docs, Sheets, Slides, and Forms)
- Hangouts Chat Messaging feature
- Hangouts Meet
- Keep
- Cloud Search
- Google Voice (in some cases)
- Sites
- Groups
- Jamboard
- Cloud Identity Management
- Tasks
- Vault
To ensure the security of all protected health information when using Google’s products and any other cloud-based services, your IT department must adhere to Google’s security guidelines. As a reminder, Google must first have a BAA on file for your organization.
Neither Google Contacts nor Google+ allow the use or storage of protected health information. These goods do not adhere to HIPAA regulations. Users who have access to PHI are still allowed to use them, but they must be careful not to copy PHI from a source where it is permitted to be stored.
A few third-party programs need to be disabled in order for PHI to be stored on the system. These include, among others, Google Photos, YouTube, and Blogger. With these applications, another BAA may be created that would permit PHI to be stored there. However, it is distinct from the BAA with Google for its products used in Google Workspace.
Why HIPAA Compliance Matters in Telehealth
It’s been asserted that when ePHI is shared directly between a healthcare professional and a patient, many healthcare professionals mistakenly think that doing so via any communication channel complies with HIPAA. Contrary to popular belief, unencrypted communications can frequently be unlawfully intercepted or accessed.
Therefore, when offering telehealth services, it’s crucial that Covered Entities and Business Associates implement a secure and HIPAA compliant solution like Google Meet. To prevent malicious or unintentional breaches of ePHI, it is equally crucial that the solution is set up to adhere to the Technical Safeguards of the Security Rule, that only authorized users have access to the solution, and that a system of monitoring Google Meet communications is put in place.
FAQs
Is Zoom HIPAA Compliant?
Yes, the Zoom Platform and Zoom Phone enable HIPAA compliance to covered entities.
Is Facetime HIPAA Compliant?
Although FaceTime is not HIPAA compliant, since There are other video calling services that are willing to sign a BAA if Apple is not.
Is Google Meet Free?
Anyone with a Google Account can create a video meeting, invite up to 100 participants, and meet for up to 60 minutes per meeting at no cost.
Final Words: HIPAA Compliant Google Meet
You can use Google Meet to communicate with patients and other members of your organization to deliver healthcare while remaining in compliance with all HIPAA regulations once you’ve put the necessary security measures in place for your Google Workspace.
Tech companies’ use of customer data is coming under increased scrutiny as privacy issues gain attention. Health organizations can demonstrate to patients and regulators that they are willing to meet privacy standards by signing a BAA and complying with HIPAA.
Having said that, simply declaring compliance does not guarantee that your business is abiding by all applicable laws. As a supplement to HIPAA compliance, training is crucial for this reason.