There is no straightforward answer to is Google Chat HIPAA compliant because compliance depends on how the service is configured and used, and – depending on how the service is configured and used – what Google Workspace plan the organization subscribes to.
Google Chat is an instant messaging service that can be deployed as a standalone application or as part of the Google Workspace suite of productivity tools. When deployed as part of the Workspace suite, Google Chat enables users to share files from other Workspace tools within the application and collaborate in real time.
In the healthcare industry, Google Chat can be used in many different ways to improve collaboration between healthcare teams, digitalize manual tasks, and accelerate workflows. Additionally, the service can be used to schedule, host, and follow-up remote HIPAA training sessions. But is Google Chat HIPAA compliant?
HIPAA Compliance and Why it Matters
Any software or service used to create, receive, maintain, or transmit ePHI must have capabilities that support compliance with the applicable standards of the HIPAA Security Rule. If the software or service is provided via the Internet, the vendor of the software or service must also comply with the applicable standards of the Security Rule.
Thereafter, the capabilities must be configured to support compliance with all applicable HIPAA standards and used in a HIPAA-compliant manner. If the software or service lacks the necessary capabilities to support HIPAA compliance – or if they are not configured and used compliantly – this will increase the likelihood of a HIPAA data breach.
The consequences of a HIPAA data breach are usually described in financial terms. However, they can also impact patient-provider relationships. If patients do not trust their healthcare providers to keep their health information secure, they are not so willing to disclosure personal information. This can affect what treatment is provided and ultimately affect patient outcomes.
How to Make Google Chat HIPAA Compliant
To help covered entities and business associates make Google Chat HIPAA compliant, Google has produced a HIPAA Implementation Guide. The Guide provides instructions on how to configure all “included functionality” services in the Workspace suite of tools to make them HIPAA compliant – “included functionality” meaning they are covered by Google’s Business Associate Addendum.
The instructions to make Google Chat HIPAA compliant offer a number of options, and this is why it may matter what plan an organization subscribes to. For example, Google Chat can be configured to restrict sharing to internal groups or domains. However, if (for example) a healthcare provider shares ePHI with external collaborators, some types of notifications will require additional safeguards.
An appropriate additional safeguard in these circumstances is client-side encryption. This recently added security capability not only protects communications with external collaborators, but it also adds an extra layer of protection against unauthorized access, phishing emails, and cyberattacks. Importantly, client-side encryption is only available with Enterprise Workspace subscriptions.
To make Google Chat HIPAA compliant, covered entities and business associates must subscribe to a Business Workspace Plan – or an Enterprise Workspace Plan if client-side encryption is required. Whichever plan is chosen, a HIPAA Business Associate Addendum with Google is automatically signed, but each organization must configure Google Chat so the service support HIPAA compliance and train members of the workforce on the compliant use of the service.
Organizations that are unsure about how to configure Google Chat to support HIPAA compliance, that require advice on client-side encryption, or who need help training members of the workforce on how to use Google Chat in compliance will HIPAA are advised to consult a HIPAA compliance expert.