Is Google Meet HIPAA compliant?

Confidentiality and security are essential in healthcare, but convenience is also important for a better patient experience. Healthcare providers must manage patient information beyond the physical boundaries of their practices, especially with telehealth services. 

Google Meet is a popular teleconferencing tool for Google Workspace plans. However, with the rise of video conferencing for remote health consultations, it’s important to ask whether Google Meet fulfills your practice’s HIPAA compliance requirements. 

In this guide, we’ll explore whether Google Meet is HIPAA compliant and share practical tips for finding a compliant video conferencing solution.

In this article:

• What is Google Meet?
• How does Google Meet comply with HIPAA?
• Best practices for ensuring HIPAA compliance when using Google Meet
• How to find a HIPAA-compliant video conferencing solution
• Support digital trust with Reveal
• Frequently asked questions

Wh‎at is Google Meet?

‎Google Meet offers a range of features that enhance the overall meeting experience. It provides high-quality video and clear audio quality, ensuring that participants can see and hear each other clearly. This is crucial for effective communication during meetings.

Additionally, users can share their screens with others, making it easy to present slides, demonstrate software, or collaborate on documents in real-time. The ability to record meetings is also available, allowing for convenient review of discussions later or sharing with those who couldn't attend.

Real-time captioning is another valuable feature. You can even use translated captions to translate to and from some languages, providing accessibility and assisting participants in understanding the conversation.

Furthermore, Google Meet offers features like co-hosts, breakout rooms, and audio/video control. These features enable better organization and management of meetings, allowing for smoother collaboration and engagement among participants.

The platform provides a comprehensive set of tools and features that enhance the meeting experience and facilitate effective communication and collaboration for healthcare providers and other businesses. But is Google Meet HIPAA compliant?

Ho‎w does Google Meet comply with HIPAA?

‎How you use Google Meet ultimately determines compliance, but at its core, Google Meet does comply with HIPAA. It does so by implementing tight access controls, encryption, and other helpful security measures. However, remember that these features are largely available only to paid Google Workspace plans, not free Google accounts. 

Data encryption

Google Meet provides end-to-end encryption for all data shared during video calls. This includes the video feed, audio, chats, and shared files. It encrypts everything while in transit and at rest, protecting data from unauthorized access at all times. 

Access controls

HIPAA requires providers to follow robust access controls to prevent outsiders from accessing sensitive patient information. With Google Meet, you have total freedom to control meeting access.

You can require a Google account to join a meeting, although that might not be practical for all patient meetings. You can also admit or deny entry before a call and set up two-factor authentication (2FA) for your Google account. 

Audit trails

Google provides comprehensive audit logs and tracking features. The Meet administrator dashboard shows a complete log of user activity within meetings.

The system also provides access logs for easier compliance reporting and monitoring. Access controls allow only certain administrators to access this information, keeping it securely in the right hands. 

Business Associate Agreements (BAAs)

Google offers BAAs to healthcare entities, which is required by HIPAA. Under a BAA, Google agrees to safeguard protected health information (PHI), report breaches, and follow other HIPAA security protocols.

While this is helpful, the BAA will only minimize liability in the event of a Google error. It’s still your responsibility to use the platform in a HIPAA-compliant manner. The penalties for HIPAA violations and non-compliance are costly, so it's crucial to take every possible precaution to protect PHI.

Additional controls

The premium version of Google Meet includes various helpful and HIPAA-compliant features, including:

• Restricted recording features
• Controlled data sharing
• Free user training and support

Be‎st practices for ensuring HIPAA compliance when using Google Meet

Follow these best practices to properly configure Google Meet for HIPAA compliance.

1. Subscribe to a Google Workspace plan. Subscribe to a Google Workspace Business Plan or Cloud Identity account.
2. Agree to Google's BAA. Agree to Google's Business Associate Addendum. However, simply signing the Business Associate Addendum does not automatically make Google Meet HIPAA compliant.
3. Make Meet the default videoconferencing service. System administrators need to configure the service to support compliance, such as making Meet the default videoconferencing service to prevent calls via Hangouts, which is not HIPAA compliant in video mode.
4. Make all Google Meet invites private. Additionally, all Google Meet invites should be made private to mask any Protected Health Information (PHI) mentioned in the invites.
5. Implement access controls. Admins can also control whether users can record meetings from the Admin console. Keep in mind that recordings, chat messages sent during the call, and transcriptions are saved in Google Drive and follow Google Drive's sharing permissions. Users can control who gets invited to meetings, whether anonymous guests can join in-progress meetings, and remove unwanted participants from meetings.
6. Develop policies and train your team. It is also important to develop policies on how to use Google Meet in compliance with HIPAA and provide training to the workforce.

Google updated its Workspace and Cloud Identity Implementation Guide in February 2024 to provide guidance on making Google Meet HIPAA compliant.

Ho‎w to find a HIPAA-compliant video conferencing solution

‎Google Meet is a popular video conferencing application, but it isn’t suitable for all practices. Unless your entire practice operates in the Google Cloud, it might be best to use a more healthcare-focused solution. Regardless of how you prefer to stay in touch with patients, follow these tips to find a HIPAA-compliant video conferencing solution. 

Understand your requirements

Every practice is free to implement HIPAA rules largely as they see fit. This ambiguity makes it more difficult to find compliant vendors, so it’s important to get clarity on your requirements before you shop around. Work with your HIPAA Compliance Officer or compliance committee to list features and security settings to serve patients and stay compliant. 

Check for compliance and certifications

HIPAA compliance is a must, but there’s no “official” HIPAA compliance designation for business associates besides signing a BAA. They should be willing to sign a BAA at a minimum, but additional certifications are also a good sign. For example, compliance with GDPR, PCI, and SOC 2 is a sign of a reputable vendor. 

Ask about interoperability

You likely use multiple software and tools to manage patient data. Look for a telehealth solution that’s compatible with the other systems you use. This approach will make it much easier to improve the patient experience and save time on back-office tasks. For example, look for a video conferencing platform that integrates with your electronic health record (EHR) system. 

Su‎pport digital trust with Reveal

‎Cloud-based telehealth tools like Google Meet are HIPAA compliant, but they might not be a fit for all practices or providers. Plus, compliant platforms alone don't ensure your business is compliant. 

When it’s time to get serious about patient data protection and compliance, the Reveal Platform by Next offers a robust solution. Real-time inspections, automated policy enforcement, and incident-based training reinforce your organization's security policies while promoting cyber hygiene and fostering a security-positive culture. Reveal's unparalleled visibility allows providers to focus less on compliance and more on what matters: patient outcomes. Schedule your Reveal demo now.

Fr‎equently asked questions

Can Google Meet be used for telehealth appointments?

Yes, you can use Google Meet for telehealth appointments under HIPAA rules, provided a Business Associate Agreement (BAA) is in place between you and Google. The healthcare provider must also use Google Meet in a manner that complies with HIPAA guidelines, including proper security settings and user training.

Are there any specific settings in Google Meet that must be adjusted for HIPAA?

While Google Meet offers various security features, healthcare providers should enable settings like two-factor authentication, use meeting passwords, control participant entry through the waiting room feature, and avoid recording sessions unless necessary.

Is Google Meet's BAA automatically applied, or do healthcare providers need to request it?

Google’s BAA doesn’t automatically apply. Healthcare providers need to enter into a BAA with Google specifically to cover Google Meet and any other Google Cloud services they intend to use.