Is using Google Calendar for appointment scheduling HIPAA compliant? In this article we will explore how HIPAA applies to the use of Google Calendar. The Health Insurance Portability and Accountability Act (HIPAA) requires that Covered Entities and Business Associates properly safeguard Protected Health Information (PHI) by following standards set forth by the National Institute of Standards and Technologies and the HIPAA Privacy Rule.
With that basic understanding of the regulations, let’s look at how this affects and applies to Google. Google offers business applications which are free and easy to use, even to a novice. The HIPAA Compliance issue arises by entering Protected Health Information into cloud applications not designed to properly safeguard PHI and, at the time of the article, specifically not in the free version of Google Calendar. Even if you use a strong, complex password, Google Calendar is not permitted to store PHI, unless specific HIPAA Compliance requirements have first been completed.
First, it is imperative for you to have a Business Associate Agreement with your vendors, where appropriate, and in this example using Google Calendar to store PHI, you would be required to have a Business Associate Agreement with Google.
Second, the free version of Google Calendar is NOT technically designed as a HIPAA compliant scheduling solution, which is a requirement of the HIPAA Security Rule.
So, how can Google Calendar be used, and meet the HIPAA requirements? Google has the necessary security controls to protect data uploaded to Google Calendar and the access and audit controls can be configured, so Google Calendar HIPAA compliance would hinge on a few key steps.
First, signing up for the Google G-Suite Business or Enterprise version. This is the paid version of Google and will offer the end-user a Business Associate Agreement.
Next, ensure the security control options in G-Suite are setup to properly meet the HIPAA requirements.
Finally, do not share calendar invites or schedules outside your domain. This could potentially expose PHI outside the security of the G-Suite environment and become a reportable breach or improper disclosure.
Healthcare organizations and their vendors have a responsibility to be HIPAA Compliant, and that starts by performing, updating or reviewing an accurate and thorough Security Risk Assessment covering your Technical, Administrative and Physical Safeguards. This will help uncover vulnerabilities and help you understand what information is being transmitted, shared and how.
TAKE AWAYS AND THINGS TO CONSIDER:
If you don’t want to purchase additional software, like G-Suite, consider for example how EZClaim (a Live Compliance partner), provides a reliable, secure, and HIPAA Compliant, cloud-based solution that provides Covered Entities a powerful medical billing program, that includes HIPAA Compliant patient scheduling calendar capabilities.
or
Complete a Security Risk Assessment and establish a Corrective Action Plan that accurate and thorough.
Remediate any potential risks or vulnerabilities. A Security Risk Assessment will target vulnerabilities related to what software is potentially exposing Protected Health Information.
Contact Live Compliance to complete your:
HIPAA Security Officer Certification Training
Employee Privacy and Security Training
Perform your Security Risk Analysis