The Intersection of Google Voice and HIPAA Compliance: A Comprehensive Review

IN THIS ARTICLE

If you Google the phrase “Is Google Voice HIPAA-compliant?” (which, let’s admit, is probably how you landed here) you’ll find that multiple sources cite the paid version of Google Voice for Google Workspace (formerly G Suite) can be considered HIPAA-compliant and can be used by healthcare organizations in compliance with HIPAA regulations. That said, the free version of Google Voice is not HIPAA-compliant, for reasons that we will cover in this article, and using it for healthcare purposes will break HIPAA compliance. In a nutshell, to use Google Voice in a HIPAA-compliant way, users need to purchase a paid plan for Google Workspace, purchase Google Voice, and enact the Google Workspace Business Associate Agreement (BAA). But once you do all of that, there’s really no reason why you wouldn’t also closely review the alternatives, which may offer greater flexibility for you and your team, along with a more robust feature set designed for healthcare and able to keep pace with a growing practice. 

How Is Google Voice Being Used in Telemedicine?

Google Voice is a VoIP provider that transmits phone calls through an internet connection. We quickly touched on the free version offered for personal Google accounts and the paid version available for Google Workspace accounts. While some businesses can enjoy the flexibility of a free account because they are not concerned with the constraints of HIPAA, healthcare organizations fall into a different bucket and must be careful with the plan that’s chosen. Certain healthcare providers can potentially benefit from Google Voice because of its affordability and common features such as unlimited calling, integration with Google Workspace, and voicemail message transcription. BUT, there are a few critical components missing from the solution that may prove deal-breaking for many.

For starters, while the paid version offers a BAA, there is a carve-out that explains that the BAA does not cover the Google contact-book feature (“Google Contacts”). In other words, you should not store contacts in Google. Because of this, it might be tricky to store information that lets you know who is calling you, making it difficult to triage your calls. It might also prove hard to find or text a contact quickly or effectively if you need to manually match names and numbers each time you conduct outreach. You may also inadvertently call the wrong person—and all of these scenarios can be liabilities for your practice. Another key consideration for medical practices is how a potential phone system works in a team setting. Google Voice does not work well in team environments, as it does not allow you or your staff to collaborate around calls or SMS messages, such as by assigning incoming messages to different teammates, or to cover for each other easily when a teammate is out of office or with a patient.

Google Voice also does not offer a secure texting option, which is an important option to have in order to remain HIPAA-compliant when patients prefer not to use SMS messaging. While the Google Workspace BAA covers GMail, that coverage does not extend to emails when they leave the Google domain; general email messages are not inherently secure, and Google’s implementation of email is not intended to be “secure” email. With a solution like Spruce, which is designed specifically for healthcare, you can send both secure and standard messages and ultimately adhere to the  communication style that your patients prefer—all while remaining compliant. The above is merely food for thought as we delve deeper into the subject.

Main Benefits of Using Google Voice in Telemedicine

Using Google Voice for telemedicine can provide several benefits, including:

Cost-Effectiveness

Google Voice is  a cost-effective communication solution for healthcare providers, offering basic services at a low entry point. Notably, however, the price of Google Workspace and its business phone service is not typically lower than many phone-system alternatives (yes, including Spruce).

Transcription Services

Google Voice can transcribe voicemail messages, which makes it easier to sort information. While useful, this feature is becoming more common on phone-service providers in general.

Call Forwarding

Google Voice offers call forwarding in a limited capacity, which may suit smaller practices or solo providers.

Integration With Personal Devices

Healthcare professionals can use their personal devices to take business calls when out of office, and their Google Voice number can be active during working hours but silenced after working hours by integrating with Google Calendar

Main Downsides of Using Google Voice in Telemedicine

Like anything in life, there are downsides to choosing a mass-market offering that was not designed specifically for your field or profession. While Google Voice has its advantages, it has limitations when used in telemedicine. It’s crucial for healthcare providers to fully understand the shortcomings before integrating Google Voice into their workflow. Understanding the challenges will help shape an informed decision and equip providers with the necessary foresight to develop strategies to address potential issues. Here are some of the main downsides of using Google Voice in telemedicine, or in other aspects of a medical practice.

Lack of Medical Focus

Google is a broad product built for “every business” and has not been designed for healthcare workflows specifically. As such, there is no integration with electronic health records (EHRs), and it is not easy to copy/paste/transfer content to medical records. Google Voice is also missing adjacent features that many practices might find useful to have in a medical-communications product, such as faxing, secure messaging, work assignment, individual and team inboxes, auto-replies and automations, and other similarly modern advancements.

Security and Privacy Concerns

Google Voice is part of the Google Suite and many people believe that if they sign a BAA for one component of the Suite, that it will cover all of the tools, but that simply isn’t true. The onus is on the user to ensure complete compliance. 

Limited Technical Support

With Google Voice, there is no in-app messaging to contact support, users are unable to email anyone at Google when issues arise, there are no demos or onboarding services, and no live technical troubleshooting. Help comes in the form of help articles and community forums that users must dig through to ferret out the answers to essential questions. 

Why Is HIPAA Compliance Important?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that aims to protect sensitive patient health information. HIPAA regulations represent a set of guidelines and standards that covered entities and their business associates must follow to protect the privacy and security of protected health information (PHI). These regulations include the Privacy Rule, which protects the privacy of individually identifiable health information, and the Security Rule, which sets national standards to protect electronic protected health information (e-PHI). We recently wrote an article on HIPAA violation consequences, and it’s worth a read if you’d like to dig in deeper on the subject. Simply put, if you violate HIPAA, you run the risk of fines, jail time, and losing your practice altogether.

Google Voice Security Features

Google Voice offers several security features, such as access controls, limited audit controls, user authentication, and encryption—all aimed at safeguarding PHI. However, the software’s HIPAA compliance depends largely on how end-users utilize these features, and because Google Voice is not specific to medicine, the product does not guide users toward compliance. Like anything, it’s best to lean on solutions that eliminate the guesswork and make it easier for you and staff to adhere without second guessing every fax that’s sent, every voicemail that’s left, and every text message that’s deployed. 

What Is a Business Associate Agreement?

At heart, the BAA requirement under HIPAA is simple for care providers: every covered entity must have a written agreement with each of its business associates, or else it is not compliant with HIPAA regulations. That summation is succinct, and we have dedicated an entire article to the subject. That said, every BAA should contain certain basic elements, and the major focus of the requirements is to make it explicit that a business associate is just as beholden to HIPAA as is a covered entity, and the totality of the requirements functions as a blueprint that essentially every BAA should follow. Net net, up-to-date and complete business associate agreements are vital to every healthcare organization’s HIPAA compliance plan. If a company will not enact an appropriate BAA with your organization, then you should not trust them with your patients’ PHI. It’s that simple and also that important.

Main Steps to Comply with HIPAA While Using Google Voice

Sign a BAA With Google 

Ensure that you have enacted a BAA with Google before using Google Voice or any other Google service for PHI or other healthcare purposes.

Sign Up for a Google Workspace Account

You must have a Google Workspace account to use Google Voice in a HIPAA-compliant manner.

Log Into Your Google Workspace Account

After signing up for Google Workspace, access your account to proceed with compliance settings, including the key ones that we’ll discuss next.

Select Legal and Compliance Option

In your account settings, select the legal and compliance option to access the specifics of HIPAA compliance.

Find Security and Additional Privacy Terms

Navigate through the account settings to find the section outlining the additional terms for security and privacy.

Accept the Cloud Identity HIPAA Business Associate Agreement

Google provides a specific “Google Workspace/Cloud Identity HIPAA Business Associate Amendment“. Ensure you review and accept these terms.

Answer Questions During this process

Google will show a pop-up window with some straightforward questions you have to answer before you accept the conditions and finish the setup.

Can We Say That Google Voice Is HIPAA-Compliant?

Google Voice, in its standard form, is very unlikely to be HIPAA-compliant. However, Google will sign a BAA with their Google Voice for Google Workspace customers, thereby making it possible to use the service in a HIPAA-compliant way—though, as always, compliance depends on how exactly a tool is used. It’s crucial, however, to understand that the free version of Google Voice is not covered under a BAA and is hence much more difficult, if not impossible, to use in a HIPAA-compliant way. It’s equally crucial to understand that even with the paid plan and its BAA in place, there still remains a fair amount of responsibility that rests on the user to ensure compliance.            

Final Thoughts

While Google Voice for business may feel like an easy answer to those who are already leveraging Google Workspace, it’s important and actually downright critical to think through your use cases before signing on. How do you intend to use the service? Are you a small practice or solo provider that can think through the necessary requirements of remaining HIPAA-compliant within a squishy environment that puts the onus on the user to “get it right”? It will be nearly impossible to ensure a wider team is following the guidelines in a loose and uncontrollable environment.  You may be considering Google Voice because of its pricing (the Standard plan comes in at $20 per user per month while the Premier plan will set you back $30 per user per month).

Simply put, there are stronger options on the market, at a similar price point, that are dedicated to the medical space and designed for those eager to comply with HIPAA. Spruce has a standard plan for $24 per user per month, and our product  has been built from the ground up for simple HIPAA compliance, including an automatic BAA. Beyond the compliance basics, Spruce is an advanced medical communication system that powers far more than just your phone system, including secure app-based messaging, team chat, faxing, and video telemedicine. Spruce also includes team organization and practice administration tools, user access controls, contact and patient list management, and clinical questionnaires, to name just a few of the standout features that enable healthcare workers to focus on what matters—safely, efficiently, and effectively taking care of the patient.

FAQ Section

How are Google Voice and Spruce Health different?

For starters, Google Voice does not offer eFax. Fax is a fairly essential part of the healthcare world and is not going anywhere, anytime soon. Google separates phone, voice, and text, and Spruce consolidates them for a holistic view of the patient. Spruce also offers text-based autoresponders, missed-call auto-text-backs, and welcome-message automations, and these are not something that Google Voice offers at this time. Google limits the number of rings to your phone, which can contribute to missed calls and lead to backlash. Spruce allows you to transfer your existing phone numbers into (and out of) our system for free, but Google charges for this service, which can add up over time. But most importantly, Google Voice and Spruce Health are firmly planted in two very different camps when it comes to privacy and security, and in healthcare, that is not something that can be negotiated.

Can I use the free version of Google Voice for patient communication? 

No. The free version of Google Voice does not comply with HIPAA standards, as Google does not provide a Business Associate Agreement (BAA). You should only use the paid version of Google Voice in Google Workspace for PHI communication.

Are Google Voice’s voicemail transcription services HIPAA-compliant? 

Yes, but only for the paid version of Google Workspace, provided a Business Associate Agreement (BAA) is signed with Google. The free version of Google Voice does not offer HIPAA-compliant voicemail transcription services. In fact, storing PHI-containing voicemails on Google Voice without a BAA would almost certainly qualify as mishandling ePHI, which would be a significant misstep under HIPAA.

How does Google Voice handle data encryption for HIPAA compliance? 

Google Voice encrypts all data in transit and at rest, a key requirement for HIPAA compliance. However, to fully meet HIPAA standards, you must use Google Voice for Google Workspace, and a BAA must be in place.

Can I use Google Voice for telehealth appointments? 

Yes, you can use Google Voice to schedule and manage telehealth appointments, if you are using the paid Google Workspace version and have a signed BAA with Google.

Are there alternatives to Google Voice that are HIPAA-compliant? 

Yes, numerous other telecommunication services are HIPAA-compliant. However, their compliance typically also relies on having a signed BAA. Some alternatives include Spruce Health, RingCentral, Zoom for Healthcare, and Skype for Business. Always verify HIPAA compliance before adopting a new service.

Related Articles

Discover more about the Mental Health Access Improvement Act, which allows LPCs and MFTs to enroll a...