We often get asked by customers and prospects about Google Voice and their ability to use it in a HIPAA compliant manner. We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.
UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out this recent Paubox blog post.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Citrix ShareFile
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Sheets
- Office 365
The purpose of this post is to determine if Google Voice offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Google Voice
Google Voice is a telephone service that provides call forwarding, voicemail, voice and text messaging. The service was launched in 2009, after Google acquired the service GrandCentral. Google Voice should not to be confused with Google Talk or Google Voice Search.
Google Voice and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked Google's site and found a Google Workspace Administrator Help article called HIPAA Compliance with Google Workspace. In the article, Google points out: "Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services." The Google Workspace Administrator Help article however, does not mention Google Voice as being covered under their BAA. In fact, Google Voice is not considered a part of Google Workspace. We then checked a Google Implementation Guide called HIPAA Compliance & Data Protection with Google Apps. We could not find a mention of Google Voice in that guide either. Google Voice is not considered a part of Google Apps either. Next, we checked the Google Cloud Platform and found a guide called HIPAA Compliance on Google Cloud Platform. There was no mention of Google Voice being covered under the Google Cloud BAA either. Google Voice is not a part of Google Cloud. SEE ALSO: Is Google Cloud HIPAA Compliant?
Does Google Voice Offer HIPAA Compliant Service?The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. We determined that:
- Google Voice is not a part of Google Workspace.
- Google Voice is not a part of Google Apps either.
- Google Voice is also not part of Google Cloud.
Google Workspace, Google Apps, and Google Cloud are the Google platforms that offer BAAs. Since Google Voice is not a part of any of them, we conclude that Google Voice is not a service that's covered by Google for HIPAA Compliance.
Google Workspace email isn't HIPAA compliant out of the box.
Conclusion: Google Voice is not HIPAA Compliant.
Do not use Google Voice if you are bound by HIPAA regulations.