{"id":3865,"date":"2023-07-26T15:56:32","date_gmt":"2023-07-26T22:56:32","guid":{"rendered":"https:\/\/sprucehealth.com\/blog\/?p=3865"},"modified":"2023-10-26T04:48:11","modified_gmt":"2023-10-26T11:48:11","slug":"the-intersection-of-google-voice-and-hipaa-compliance-a-comprehensive-review","status":"publish","type":"post","link":"https:\/\/sprucehealth.com\/blog\/the-intersection-of-google-voice-and-hipaa-compliance-a-comprehensive-review\/","title":{"rendered":"The Intersection of Google Voice and HIPAA Compliance: A Comprehensive Review"},"content":{"rendered":"\r\n<p><strong>IN THIS ARTICLE<\/strong><\/p>\r\n<ul>\r\n<li><a href=\"#Google-Use\">How Is Google Voice Being Used in Telemedicine?<\/a><\/li>\r\n<li><a href=\"#Main-Benefits\">Main Benefits of Using Google Voice in Telemedicine <\/a><\/li>\r\n<li><a href=\"#Main-Downsides\">Main Downsides of Using Google Voice in Telemedicine<\/a><\/li>\r\n<li><a href=\"#Why-Important\">Why Is HIPAA Compliance Important?<\/a><\/li>\r\n<li><a href=\"#Security-Features\">Google Voice Security Features<\/a><\/li>\r\n<li><a href=\"#BAA\">What Is a Business Associate Agreement?<\/a><\/li>\r\n<li><a href=\"#Compliance\">Main Steps to Comply with HIPAA While Using Google Voice<\/a><\/li>\r\n<li><a href=\"#Can-We-Say\">Can We Say That Google Voice Is HIPAA-Compliant?<\/a><\/li>\r\n<li><a href=\"#Thoughts\">Final Thoughts<\/a><\/li>\r\n<li><a href=\"#FAQ\">FAQ Section<\/a><\/li>\r\n<\/ul>\r\n<p><span style=\"font-weight: 400;\">If you Google the phrase \u201cIs Google Voice HIPAA-compliant?\u201d (which, let\u2019s admit, is probably how you landed here) you\u2019ll find that multiple sources cite the paid version of Google Voice for Google Workspace (formerly G Suite) can be considered HIPAA-compliant and can be used by healthcare organizations in <\/span><a href=\"https:\/\/www.hipaaexams.com\/blog\/google-voice-hipaa-compliant\"><span style=\"font-weight: 400;\">compliance with HIPAA regulations<\/span><\/a><span style=\"font-weight: 400;\">. <\/span><span style=\"font-weight: 400;\">That said, the free version of Google Voice is not HIPAA-compliant, for reasons that we will cover in this article, and using it for healthcare purposes will <\/span><a href=\"https:\/\/www.jotform.com\/blog\/is-google-voice-hipaa-compliant\/\"><span style=\"font-weight: 400;\">break HIPAA compliance<\/span><\/a><span style=\"font-weight: 400;\">. In a nutshell, to use Google Voice in a HIPAA-compliant way, users need to purchase a paid plan for Google Workspace, purchase Google Voice, and enact the Google Workspace <\/span><a href=\"https:\/\/www.jotform.com\/hipaa\/is-hipaa-compliant\/google-voice\/\"><span style=\"font-weight: 400;\">Business Associate Agreement (BAA)<\/span><\/a><span style=\"font-weight: 400;\">. But once you do all of that, there\u2019s really no reason why you wouldn\u2019t also closely review the alternatives, which may offer greater flexibility for you and your team, along with a more robust feature set designed for healthcare and able to keep pace with a growing practice.\u00a0<\/span><\/p>\r\n<h2 id=\"Google-Use\">How Is Google Voice Being Used in Telemedicine?<\/h2>\r\n<p><a href=\"https:\/\/www.hipaaexams.com\/blog\/google-voice-hipaa-compliant\"><span style=\"font-weight: 400;\">Google Voice is a VoIP provider<\/span><\/a><span style=\"font-weight: 400;\"> that transmits phone calls through an internet connection. We quickly touched on the free version offered for personal Google accounts and the paid version available for Google Workspace accounts. While some businesses can enjoy the flexibility of a free account because they are not concerned with the constraints of HIPAA, healthcare organizations fall into a different bucket and must be careful with the plan that\u2019s chosen. Certain healthcare providers can potentially benefit from Google Voice because of its affordability and common features such as unlimited calling, integration with Google Workspace, and voicemail message transcription. BUT, there are a few critical components missing from the solution that may prove deal-breaking for many.<\/span><\/p>\r\n<p><span style=\"font-weight: 400;\">For starters, while the paid version offers a BAA, there is a carve-out that explains that the BAA does not cover the Google contact-book feature (&#8220;Google Contacts&#8221;). In other words, you should not store contacts in Google. Because of this, it might be tricky to store information that lets you know who is calling you, making it difficult to triage your calls. It might also prove hard to find or text a contact quickly or effectively if you need to manually match names and numbers each time you conduct outreach. You may also inadvertently call the wrong person\u2014and all of these scenarios can be liabilities for your practice.<\/span> <span style=\"font-weight: 400;\">Another key consideration for medical practices is how a potential phone system works in a team setting. Google Voice does not work well in team environments, as it does not allow you or your staff to collaborate around calls or SMS messages, such as by assigning incoming messages to different teammates, or to cover for each other easily when a teammate is out of office or with a patient.<\/span><\/p>\r\n<p><span style=\"font-weight: 400;\">Google Voice also does not offer a secure texting option, which is an important option to have in order to remain HIPAA-compliant when patients prefer not to use SMS messaging. While the Google Workspace BAA covers GMail, <\/span><a href=\"https:\/\/sprucehealth.com\/blog\/bottom-line-hipaa-compliance-email\/\"><span style=\"font-weight: 400;\">that coverage does not extend to emails when they leave the Google domain<\/span><\/a><span style=\"font-weight: 400;\">; general email messages are not inherently secure, and Google&#8217;s implementation of email is not intended to be &#8220;secure&#8221; email.<\/span> <span style=\"font-weight: 400;\">With a solution like Spruce, which is designed specifically for healthcare, you can send both secure and standard messages and ultimately adhere to the\u00a0 communication style that your patients prefer\u2014all while remaining compliant.<\/span> <span style=\"font-weight: 400;\">The above is merely food for thought as we delve deeper into the subject.<\/span><\/p>\r\n<h2 id=\"Main-Benefits\">Main Benefits of Using Google Voice in Telemedicine<\/h2>\r\n<p><span style=\"font-weight: 400;\">Using Google Voice for telemedicine can provide several benefits, including:<\/span><\/p>\r\n<h3><b>Cost-Effectiveness<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google Voice is <\/span><span style=\"font-weight: 400;\">\u00a0a cost-effective communication solution for healthcare providers, offering basic services at a low entry point. Notably, however, the price of Google Workspace and its business phone service is not typically lower than many phone-system alternatives (yes, including Spruce).<\/span><\/p>\r\n<h3><b>Transcription Services<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google Voice can transcribe voicemail messages, which makes it easier to sort information. While useful, this feature is becoming more common on phone-service providers in general.<\/span><\/p>\r\n<h3><b>Call Forwarding<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google Voice offers call forwarding in a limited capacity, which may suit smaller practices or solo providers.<\/span><\/p>\r\n<h3><b>Integration With Personal Devices<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Healthcare professionals can use their personal devices to take business calls when out of office, and their Google Voice number can be active during working hours but silenced after working hours by integrating with Google Calendar<\/span><\/p>\r\n<h2 id=\"Main-Downsides\">Main Downsides of Using Google Voice in Telemedicine<\/h2>\r\n<p><span style=\"font-weight: 400;\">Like anything in life, there are downsides to choosing a mass-market offering that was not designed specifically for your field or profession. <\/span><span style=\"font-weight: 400;\">While Google Voice has its advantages, it has limitations when used in telemedicine. It&#8217;s crucial for healthcare providers to fully understand the shortcomings before integrating Google Voice into their workflow. Understanding the challenges will help shape an informed decision and equip providers with the necessary foresight to develop strategies to address potential issues. Here are some of the main downsides of using Google Voice in telemedicine, or in other aspects of a medical practice.<\/span><\/p>\r\n<h3><b>Lack of Medical Focus<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google is a broad product built for \u201cevery business\u201d and has not been designed for healthcare workflows specifically. As such, there is no integration with electronic health records (EHRs), and it is not easy to copy\/paste\/transfer content to medical records. Google Voice is also missing adjacent features that many practices might find useful to have in a medical-communications product, such as faxing, secure messaging, work assignment, individual and team inboxes, auto-replies and automations, and other similarly modern advancements.<\/span><\/p>\r\n<h3><b>Security and Privacy Concerns<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google Voice is part of the Google Suite and many people believe that if they sign a BAA for one component of the Suite, that it will cover all of the tools, but that simply isn\u2019t true. The onus is on the user to ensure complete compliance.\u00a0<\/span><\/p>\r\n<h3><b>Limited Technical Support<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">With Google Voice, there is no in-app messaging to contact support, users are unable to email anyone at Google when issues arise, there are no demos or onboarding services, and no live technical troubleshooting. Help comes in the form of help articles and community forums that users must dig through to ferret out the answers to essential questions.\u00a0<\/span><\/p>\r\n<h2 id=\"Why-Important\">Why Is HIPAA Compliance Important?<\/h2>\r\n<p><span style=\"font-weight: 400;\">HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that aims to protect sensitive patient health information. HIPAA regulations represent a set of guidelines and standards that covered entities and their business associates must follow to protect the privacy and security of protected health information (PHI). These regulations include the Privacy Rule, which protects the privacy of individually identifiable health information, and the Security Rule, which sets national standards to protect electronic protected health information (e-PHI). We recently wrote an article on <\/span><a href=\"https:\/\/sprucehealth.com\/blog\/hipaa-violation-consequences-what-every-healthcare-professional-should-know\/\"><span style=\"font-weight: 400;\">HIPAA violation consequences<\/span><\/a><span style=\"font-weight: 400;\">, and it\u2019s worth a read if you\u2019d like to dig in deeper on the subject. Simply put, if you violate HIPAA, you run the risk of fines, jail time, and losing your practice altogether.<\/span><\/p>\r\n<h2 id=\"Security-Features\">Google Voice Security Features<\/h2>\r\n<p><span style=\"font-weight: 400;\">Google Voice offers several security features, such as access controls, limited audit controls, user authentication, and encryption\u2014all aimed at safeguarding PHI. However, the software&#8217;s HIPAA compliance depends largely on how end-users utilize these features, and because Google Voice is not specific to medicine, the product does not guide users toward compliance. Like anything, it\u2019s best to lean on solutions that eliminate the guesswork and make it easier for you and staff to adhere without second guessing every fax that\u2019s sent, every voicemail that\u2019s left, and every text message that\u2019s deployed.\u00a0<\/span><\/p>\r\n<h2 id=\"BAA\">What Is a Business Associate Agreement?<\/h2>\r\n<p><span style=\"font-weight: 400;\">At heart, the BAA requirement under HIPAA is simple for care providers: every covered entity must have a written agreement with each of its business associates, or else it is not compliant with HIPAA regulations.<\/span> <span style=\"font-weight: 400;\">That summation is succinct, and we have dedicated <\/span><a href=\"https:\/\/sprucehealth.com\/blog\/hipaa-compliance-baa-care\/\"><span style=\"font-weight: 400;\">an entire article<\/span><\/a><span style=\"font-weight: 400;\"> to the subject. That said, <\/span><span style=\"font-weight: 400;\">every BAA should contain certain basic elements, and the major focus of the requirements is to make it explicit that a business associate is just as beholden to HIPAA as is a covered entity, and the totality of the requirements functions as a blueprint that essentially every BAA should follow. Net net, up-to-date and complete business associate agreements are vital to every healthcare organization\u2019s HIPAA compliance plan. If a company will not enact an appropriate BAA with your organization, then you should not trust them with your patients\u2019 PHI. It\u2019s that simple and also that important.<\/span><\/p>\r\n<h2 id=\"Compliance\">Main Steps to Comply with HIPAA While Using Google Voice<\/h2>\r\n<h3><b>Sign a BAA With Google<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h3>\r\n<p><span style=\"font-weight: 400;\">Ensure that you have enacted a BAA with Google before using Google Voice or any other Google service for PHI or other healthcare purposes.<\/span><\/p>\r\n<h3><b>Sign Up for a Google Workspace Account<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">You must have a Google Workspace account to use Google Voice in a HIPAA-compliant manner.<\/span><\/p>\r\n<h3><b>Log Into Your Google Workspace Account<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">After signing up for Google Workspace, access your account to proceed with compliance settings, including the key ones that we&#8217;ll discuss next.<\/span><\/p>\r\n<h3><b>Select Legal and Compliance Option<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">In your account settings, select the legal and compliance option to access the specifics of HIPAA compliance.<\/span><\/p>\r\n<h3><b>Find Security and Additional Privacy Terms<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Navigate through the account settings to find the section outlining the additional terms for security and privacy.<\/span><\/p>\r\n<h3><b>Accept the Cloud Identity HIPAA Business Associate Agreement<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google provides a specific &#8220;<\/span><a href=\"https:\/\/support.google.com\/a\/answer\/2888485?hl=en#zippy=%2Chow-to-accept-the-hipaa-business-associate-amendment\"><span style=\"font-weight: 400;\">Google Workspace\/Cloud Identity HIPAA Business Associate Amendment<\/span><\/a><span style=\"font-weight: 400;\">&#8220;. Ensure you review and accept these terms.<\/span><\/p>\r\n<h3><b>Answer Questions During this process<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google will show a pop-up window with some straightforward questions you have to answer before you accept the conditions and finish the setup.<\/span><\/p>\r\n<h2 id=\"Can-We-Say\">Can We Say That Google Voice Is HIPAA-Compliant?<\/h2>\r\n<p><span style=\"font-weight: 400;\">Google Voice, in its standard form, is very unlikely to be HIPAA-compliant. However, Google will sign a BAA with their Google Voice for Google Workspace customers, thereby making it possible to use the service in a HIPAA-compliant way\u2014though, as always, compliance depends on how exactly a tool is used. It&#8217;s crucial, however, to understand that the free version of Google Voice is not covered under a BAA and is hence much more difficult, if not impossible, to use in a HIPAA-compliant way. It\u2019s equally crucial to understand that even with the paid plan and its BAA in place, there still remains a fair amount of responsibility that rests on the user to ensure compliance.<\/span><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\r\n<h2 id=\"Thoughts\">Final Thoughts<\/h2>\r\n<p><span style=\"font-weight: 400;\">While Google Voice for business may feel like an easy answer to those who are already leveraging Google Workspace, it\u2019s important and actually downright critical to think through your use cases before signing on. How do you intend to use the service? Are you a small practice or solo provider that can think through the necessary requirements of remaining HIPAA-compliant within a squishy environment that puts the onus on the user to \u201cget it right\u201d? It will be nearly impossible to ensure a wider team is following the guidelines in a loose and uncontrollable environment.\u00a0<\/span> <span style=\"font-weight: 400;\">You may be considering Google Voice because of its pricing (the Standard plan comes in at $20 per user per month while the Premier plan will set you back $30 per user per month). <\/span><\/p>\r\n<p><span style=\"font-weight: 400;\">Simply put, there are <\/span><a href=\"https:\/\/sprucehealth.com\/plans\"><span style=\"font-weight: 400;\">stronger options<\/span><\/a><span style=\"font-weight: 400;\"> on the market, at a similar price point, that are dedicated to the medical space and designed for those eager to comply with HIPAA. Spruce has a standard plan for $24 per user per month, and our product\u00a0 has been built from the ground up for simple HIPAA compliance, including an automatic BAA. Beyond the compliance basics, Spruce is an advanced medical communication system<\/span><span style=\"font-weight: 400;\"> that powers far more than just your phone system, including secure app-based messaging, team chat, faxing, and video telemedicine. Spruce also includes <\/span><span style=\"font-weight: 400;\">team organization and practice administration tools, user access controls, contact and patient list management, and clinical questionnaires, to name just a few of the standout features that enable healthcare workers to focus on what matters\u2014safely, efficiently, and effectively taking care of the patient.<\/span><\/p>\r\n<h2 id=\"FAQ\">FAQ Section<\/h2>\r\n<h3><b>How are Google Voice and Spruce Health different?<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">For starters, Google Voice does not offer eFax. Fax is a fairly essential part of the healthcare world and is not going anywhere, anytime soon. Google separates phone, voice, and text, and Spruce consolidates them for a holistic view of the patient. Spruce also offers text-based autoresponders, missed-call auto-text-backs, and welcome-message automations, and these are not something that Google Voice offers at this time. Google limits the number of rings to your phone, which can contribute to missed calls and lead to backlash. Spruce allows you to transfer your existing phone numbers into (and out of) our system for free, but Google charges for this service, which can add up over time. But most importantly, Google Voice and Spruce Health are firmly planted in two very different camps when it comes to privacy and security, and in healthcare, that is not something that can be negotiated.<\/span><\/p>\r\n<h3><b>Can I use the free version of Google Voice for patient communication?\u00a0<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">No. The free version of Google Voice does not comply with HIPAA standards, as Google does not provide a Business Associate Agreement (BAA). You should only use the paid version of Google Voice in Google Workspace for PHI communication.<\/span><\/p>\r\n<h3><b>Are Google Voice&#8217;s voicemail transcription services HIPAA-compliant?\u00a0<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Yes, but only for the paid version of Google Workspace, provided a Business Associate Agreement (BAA) is signed with Google. The free version of Google Voice does not offer HIPAA-compliant voicemail transcription services. In fact, storing PHI-containing voicemails on Google Voice without a BAA would almost certainly qualify as mishandling ePHI, which would be a significant misstep under HIPAA.<\/span><\/p>\r\n<h3><b>How does Google Voice handle data encryption for HIPAA compliance?\u00a0<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Google Voice encrypts all data in transit and at rest, a key requirement for HIPAA compliance. However, to fully meet HIPAA standards, you must use Google Voice for Google Workspace, and a BAA must be in place.<\/span><\/p>\r\n<h3><b>Can I use Google Voice for telehealth appointments?\u00a0<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Yes, you can use Google Voice to schedule and manage telehealth appointments, if you are using the paid Google Workspace version and have a signed BAA with Google.<\/span><\/p>\r\n<h3><b>Are there alternatives to Google Voice that are HIPAA-compliant?\u00a0<\/b><\/h3>\r\n<p><span style=\"font-weight: 400;\">Yes, numerous other telecommunication services are HIPAA-compliant. However, their compliance typically also relies on having a signed BAA. Some alternatives include Spruce Health, RingCentral, Zoom for Healthcare, and Skype for Business. Always verify HIPAA compliance before adopting a new service.<\/span><\/p>","protected":false},"excerpt":{"rendered":"<p><\/p>\n","protected":false},"author":21,"featured_media":3875,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"slim_seo":{"title":"The Intersection of Google Voice and HIPAA Compliance: A Comprehensive Review - Spruce Blog","description":""},"footnotes":""},"categories":[59,14,51],"tags":[138,137,139,123,140,5,4],"different-template":[],"class_list":["post-3865","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-health-tech-communication","category-hipaa","category-thoughts","tag-baa","tag-google-voice","tag-google-workspace","tag-hipaa-compliance","tag-security-and-privacy","tag-telehealth","tag-telemedicine"],"acf":[],"_links":{"self":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/3865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/comments?post=3865"}],"version-history":[{"count":0,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/3865\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media\/3875"}],"wp:attachment":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media?parent=3865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/categories?post=3865"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/tags?post=3865"},{"taxonomy":"different-template","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/different-template?post=3865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}