For the past few years, the good faith use of Google Meet and HIPAA compliance has not been an issue for healthcare providers due to OCR’s Notice of Enforcement Discretion for telehealth during the COVID-19 pandemic. However, with the COVID-19 public health emergency about to expire, healthcare providers will have to start using Google Meet in compliance with HIPAA.
During the COVID-19 pandemic, the use of chat, phone, and video communication services to conduct telehealth consultations soared by 154%. Although the use of these communication services for telehealth has since stabilized at a lower level, telehealth still accounts for around 24% of all non-routine healthcare visits and up to 63% of all routine mental health visits.
One of the reasons healthcare providers were able to adopt video communication services so quickly at the start of the COVID-19 pandemic was a Notice of Enforcement Discretion published by HHS’ Office for Civil Rights that said OCR would refrain from taking HIPAA enforcement action against healthcare providers providing telehealth services in good faith during the public health emergency.
However, the COVID-19 public health emergency is due to expire on May 11. Healthcare providers have been allowed a transition period for telehealth service until August 11, but it will be necessary for healthcare providers using video communication services such as Google Meet to consider whether they are using the video communication service in compliance with HIPAA.
Why Select Google Meet as an Example?
Many different video communication services were utilized during the COVID-19 pandemic – some of which support HIPAA compliance, and others that don’t. Healthcare providers using a non-compliant service will have to change service providers before August; and, as Google Meet is one of the easiest to use, it is likely many healthcare providers will select Google Meet ahead of Zoom or Skype.
Additionally, Google has published a HIPAA Implementation Guide which explains how services in the Google Workspace suite should be configured to comply with the Administrative and Technical Safeguards of the Security Rule. Importantly, Google is also willing to enter into a Business Associate Agreement with healthcare providers not already using the Workspace suite to communicate PHI.
However, before being able to access the configuration controls or enter into a Business Associate Agreement, Google requires Covered Entities to subscribe to an Enterprise Workspace Plan. This may result in a number of duplicated services if a Covered Entity already subscribes to service package from (say) Microsoft, but patients may also find Google Meet easier to use.
Training Users on Google Meet and HIPAA Compliance
When discussing technologies to comply with HIPAA, it is important to be aware that no software is HIPAA compliant. It is how the software is configured and used that determines compliance. Configuring Google Meet to support HIPAA compliance is straightforward if you follow the instructions in the HIPAA Implementation Guide, and Google’s BAA is particularly uncomplicated.
Training users on Google Meet and HIPAA compliance may be a different story. For the past three years, users have not had to worry about disclosing more than the minimum PHI, inadvertently sharing PHI with unauthorized users, or ensuring conversations were not overheard – or screens overlooked – by third parties provided they were providing telehealth services in good faith.
This will change come August when the transition period for telehealth enforcement discretion draws to a close, and users need to adopt best practices now rather than struggle with Google Meet and HIPAA compliance once enforcement action resumes. Fortunately, Google is offering a free trial of the Enterprise version of Google Workspaces for healthcare providers to try before they subscribe.
This represents an opportunity for Covered Entities to evaluate whether Google Meet and other services in the Workspace suite are suitable for their operations. It also offers the chance to train members of the workforce on using Google Meet in compliance with HIPAA – notwithstanding that training of this nature also contributes towards the requirement to provide security awareness training to all members of the workforce.