Dear Midwife: Here's why Google Voice (Free) is not HIPAA-compliant

By: Facundo Gauna (Founder/CEO)

Many businesses use Google Voice because it’s a great way to provide a virtual phone number with basic call routing to other phone numbers behind the scenes. It’s a great way to “obfuscate” personal phone numbers and have a more professional face to the business. This article explains why Google Voice (Free Version) is not HIPAA-compliant and what you can do about it as a midwifery practice.

Note: This article has been reviewed by a HIPAA third-party consultant for its accuracy.

Before we get started

In this article, we assume you're an out-of-hospital midwife who runs a solo practice or is part of a group practice. If you're a different healthcare provider, we hope you find this relevant, valuable, and, most likely, still applicable. Having a basic understanding of HIPAA compliance requirements will be helpful.

The short

  • If you're using the free version, you're not compliant - For HIPAA-compliance, you need to have a Business Associate Agreement (BAA), and that’s only offered on the paid plans by Google Workspace.
  • If you’re mostly texting with Google Voice, you’re most likely not HIPAA-compliant - The technology behind text messages is still unencrypted. However, if you give a disclaimer to each client that text messages are not secure and you ask for their consent, you’re covered.
  • At the time of writing, if you want to use Google Voice in a HIPAA-compliant way, you will have to pay at least $6 per month per user for Gmail through Google Workspaces and an additional $20 per month per user for Google Voice.
  • If you share logins for Google Voice so that you can have one conversation, this is a security risk because of the lack of two-factor authentication. It may be a HIPAA violation because you are not complying with information access management requirements. Also, you’re violating the terms of service for Google Voice and, therefore, violating the Business Associate Agreement with Google.

Why is Google Voice (free) not HIPAA-compliant out of the box?

For HIPAA compliance, as a “covered entity,” you must execute Business Associate Agreements (BAA) with other companies (i.e. business associates) that help in your business functions. In this case, Google is the Business Associate and only provides the necessary Business Associate Agreement when you pay for a Google Workspace account and for Google Voice.

If you pay for Google Voice, voice calls can be HIPAA-compliant.

Note: - The following only applies to voice calling.

Assuming you are paying for a Google Workspace account and you’re not using the free version of Gmail, and assuming you’re also an Admin or the business owner of the practice, you can purchase and sign the BAA agreement for the Google Workspace.

The same BAA agreement will cover the use of Gmail, Google Voice, and other services listed here.

Here’s a step-by-step guide on how to view and sign the BAA agreement. Please note that you must be the midwifery practice's business owner to sign the agreement. There is one agreement per business.

  1. Using your Google Workspace account, go to Account Settings under Google Admin
  1. Scroll down to Legal and compliance and click on the section that says “Pending Terms of Service.”
  1. You will see a subsection for “Google Workspace/Cloud Identity HIPAA Business Associate Agreement.” If you haven’t accepted it yet, it will show as “Not accepted.”

  1. Click anywhere in that section or click on the “pencil” button in that section. You will see a “Review and Accept” button, click it.

  2. A pop-up window will appear. Say yes to all the questions. If you’re curious about what those questions mean, here’s a breakdown:

    • Are you a midwifery practice (i.e. covered entity)
    • Will you use Google Workspace products like Gmail to transmit sensitive client information?
    • Are you a business owner?

  3. A new screen in the pop-up will appear with the actual agreement. Click “I accept.”

  4. Once you sign the BAA agreement, if it’s a new Google Workspace account, you must give yourself a Google Voice license and one per employee in your practice.

Unfortunately, if you want to use Google Voice to text PHI with clients, you’re still not going to be compliant.

As our article “How to Achieve HIPAA Compliance with Text Messages” covers, text messaging protocol is not considered secure.

The diagram below shows a text message being sent by a midwife to a client.

HIPAA compliance applies to the communication between Google Voice and a phone using the Google Voice app.

You might ask yourself:

Could I just have my clients use the Google Voice app?

If all your clients used Google Voice, you could say you’re HIPAA compliant.

However, to make that work, you must add all your clients to your Google Workspace and give them Google Voice licenses. Then, you would probably want to set up the appropriate security settings so that they can’t read your practice’s files or do other unsafe things. Google Voice was not designed that way, it would be hard and maybe not possible and cost a lot of money the more clients you have.

Other Drawbacks Beyond HIPAA Compliance

Beyond compliance issues, other challenges make client management more difficult.
For example:

  • You can’t have a nice group practice view with a client - Similar to text messages, you can’t have a “midwifery practice” view of all the conversations. In other words, if you wanted to have your clients text a single phone number and it would notify all the midwives who are part of the practice about the text, you couldn't do that. So, if you are part of a multiple midwife practice, you would have to create group texts for each client with all of the midwives. That could work, but it would just feel a little weird for a client to share their intimate symptoms with a bunch of other phone numbers in a group text. In the end, there are other reasons why it wouldn’t work well:
    • Google Voice doesn’t support text messages with its Rings. A Ring is a group of people using Google Voice tied to a phone number. A good use of a Ring would be a midwife hotline, where a client calls a single number, and Google Voice would dial each phone independently until a midwife picks up or dial all the phones simultaneously until someone picks up.
    • If you share Google logins, you’ll be doing something extraordinarily insecure and likely violating the terms of use for Google Voice. Sharing logins and passwords is considered a bad practice regarding information security for any software. Passwords are easily leaked because of company breaches, and it’s common for each person to remember only a handful of passwords at most; in other words, if your password was compromised before, then a malicious actor could easily log in as you.
  • It's akward to schedule messages - With Google Voice, you can schedule send messages when you’re using email to reply to messages. Because Gmail has a schedule send feature, you can schedule a reply to a text message via email.
  • You can't broadcast messages - Like texting, you can’t quite send announcements to several phone numbers without revealing every individual’s identity. The only way to send a broadcast would be to send a group text message to all your clients, which would violate HIPAA since your clients would be aware of each other.
  • It's tedious to answer the same question repeatedly - Like texting, it’s so time-consuming to answer basic questions from clients all the time. There are no apparent ways to have “templates” of responses that are given frequently. Also, unless you’re very organized on your phone, it’s hard to quickly insert resources that they might find helpful - like digital handouts.
  • No read receipts - Have you had a lovely day with the family but had trouble being present because you asked the client if they needed you to come by, but they weren’t responding? Or have you had a situation where you sent them a message, and you were wondering when to call them because it’s important that they saw the message? Reading receipts is essential to help you understand if they’ve seen your message and you continue about your day. At the same time, they can be hurtful to mental health if clients also have read receipts because they can see when you have seen a message but you’re not responding because you’re trying to think about what to do next.
  • No way to show clients that you’re on vacation - Clients forget about your vacation. They forget about your kid’s birthdays. They forget about your anniversary. For good reason, they’re thinking about one of the most important moments in their life. However, it stresses your personal life unnecessarily because you can’t have a true day off where you can be present and unplug. With Google Voice, like Text and WhatsApp, you can’t show your business hours where you will likely respond. On the other hand, sometimes you have clients where they’re so scared to interrupt you that they don’t say anything at all, even when it’s an emergency.

We're building a better way.

HIPAA-compliant means meeting all HIPAA Security and Privacy Rule requirements. At Hello Midwife, we're building a HIPAA-compliant messaging app that can help you lessen stress and take off some of the mental load you might have. Midwifery is full of burnout, and we want a difference for the people who give so much of themselves.

We hope you found this article helpful, even if you're not a midwife.

If you're interested in Hello Midwife, click here to start your free trial!