Is Google Voice HIPAA-compliant? Yes. And no. It depends.
How is that for a murky answer? If the answer to the question of Google Voice’s compliance with HIPAA were straightforward, we wouldn’t be writing a blog about it. But, because so many businesses utilize Google’s voice over internet protocol (VoIP) phone system , healthcare providers considering this popular platform often want to verify its HIPAA compliance before putting it into action.
If you’re not familiar with Google Voice, it’s a VoIP phone service that provides users with a phone number for calls, texts, and voicemails and is available on multiple types of devices, including smartphones, tablets, and desktops. Unlike other businesses, healthcare providers deal with HIPAA and, therefore, must remain compliant with the administrative, physical, and technical safeguards of its Security Rule . That’s because they, along with payers and clearinghouses, create, receive, or transmit protected health information (PHI).
Criminal HIPAA violation penalties range from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Civil penalties vary from $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million. Those punitive actions don’t take into account the damaged reputation and decreased customer trust a healthcare provider often experiences when sensitive data is stolen.
That HIPAA overview explains why compliance with its rules is essential for any healthcare provider. Now onto the specifics of Google Voice and compliance with HIPAA with three primary points to explain.
1. Google Voice for personal use is not HIPAA-compliant.
Google Voice is free for anyone with a Google account. But, the company doesn’t recommend that businesses utilize this type of plan.
Medical practices certainly should not use a personal Google Voice account, especially since they handle PHI. They do not want to risk cyberattacks, which are the fastest-growing crime in the U.S. and can be costly in more ways than one.
According to a recent survey from the American Medical Association, more than 92 percent of patients say privacy is a right. However, only slightly more than half of patients at private practices and about one-third of patients of large hospital networks said they don’t trust their healthcare providers to protect PHI and payment information.
2. The paid version of Google Voice is HIPAA-compliant — if the service is used as part of a business Workspace plan and a business associate agreement (BAA) is signed with Google.
Although Google did not offer a business associate agreement (BAA) when Google Voice was part of its G Suite product — primarily because it was only a consumer product — Google Voice for Workspace is now covered by the company’s BAA. Google offers a standard BAA to its service agreement for all healthcare organizations subscribing to a Workspace account, making it a HIPAA-compliant service.
What exactly is a business associate agreement (BAA)? HIPAA requires that a covered entity enter into a BAA any time it uses a contractor or non-workforce member to perform “Business Associate” services or activities on behalf of the covered entity. The Google BAA is a standard BAA for all covered entities and is entered into automatically when a healthcare organization subscribes to a Google Workspace business account.
3. Although Google Voice technically offers HIPAA compliance when a healthcare provider subscribes to a Google Workspace business account, it’s not designed specifically for medical practices.
As we mentioned in a recent blog, Google Voice was not created for healthcare providers. It’s also not customizable.
Healthcare providers should use a HIPAA-compliant, secure VoIP phone system that enhances patient care and increases practice efficiency while offering customization options to best fit their business needs. One such example is ensuring HIPAA-compliant voicemail.
Providers regularly use both desktop and mobile devices for their healthcare communication. HIPAA-compliant voicemail must be completely encrypted and stored in multiple geographies simultaneously to eliminate any single points of failure. Along with bi-directional authentication, it’s part of multiple layers of security within a phone system to prevent any attempt of unauthorized access.
Another capability lacking in Google Voice is multi-staff use. Multiple devices can be linked to a Google Voice account, but users can actively handle one call simultaneously. Callers waiting on hold for long periods decrease patient satisfaction and add more administrative burden for practice staff.
RingRx: A HIPAA-Compliant Enterprise Phone System That Ensures Proper Handling of PHI
At RingRx, our healthcare VoIP phone system was built exclusively for healthcare practices and guarantees compliance. We achieve this compliance by following strict protocols in these areas: physical security of PHI, encryption, training, product security and password protection, auditing and BAAs. Plus, we offer features not found in Google Voice, including unlimited two-way text messaging , advanced call routing , free phone number portability , OnCall and personalized onboarding .
Learn more about HIPAA-compliant solutions with RingRx. Contact us today for a complimentary demo !