In early 2023, a small behavioral health practice in the Midwest contacted me after receiving a patient complaint. A clinician had been conducting therapy sessions over Google Hangouts for nearly two years, assuming it was covered under the organization's Google Workspace agreement. It wasn't. The practice had no Business Associate Agreement (BAA) covering the tool, no access controls configured, and no audit logs to demonstrate compliance. This scenario plays out more often than you'd expect — and the answer to is Google Hangouts HIPAA compliant is more nuanced than a simple yes or no.

Google Hangouts Is Discontinued — And That Changes Everything

Google officially sunsetted the classic Google Hangouts product in late 2022, migrating users to Google Chat and Google Meet. If your organization is still referencing "Google Hangouts" in your telehealth policies or workforce training materials, that's an immediate red flag. You're pointing staff toward a product that no longer exists, which means your compliance documentation is outdated.

Google now offers Google Meet (for video conferencing) and Google Chat (for messaging) as part of Google Workspace. These are the products Google will actually sign a BAA for — but only under specific licensing tiers and configurations. The legacy Hangouts product was never independently covered by a BAA, and it certainly isn't now.

Why Asking "Is Google Hangouts HIPAA Compliant" Misses the Real Question

No technology is inherently HIPAA compliant. The HIPAA Security Rule under 45 CFR Part 164, Subpart C, requires covered entities and business associates to implement administrative, physical, and technical safeguards appropriate to the protected health information (PHI) being handled. Compliance is about how a tool is configured, governed, and contractually supported — not the tool itself.

The real questions your organization should be asking are:

  • Has Google signed a Business Associate Agreement covering the specific product you're using?
  • Have you configured the product to enforce access controls, encryption, and audit logging?
  • Does your workforce understand which communication tools are approved for PHI?
  • Have you conducted a risk analysis that includes video conferencing and messaging platforms?

If you can't answer yes to all four, you have a compliance gap — regardless of which Google product you're using.

Google Workspace BAA: What It Covers and What It Doesn't

Google does offer a BAA for Google Workspace (formerly G Suite) customers on eligible plans, including Business Plus, Enterprise, and Education Fundamentals (among others). The BAA covers a defined set of "Covered Services," which currently includes Google Meet, Google Chat, Gmail, Google Calendar, Google Drive, and several others.

Here's where organizations get tripped up: the BAA only applies to the services explicitly listed in Google's HIPAA implementation guide. If a workforce member uses a Google product not listed as a Covered Service — such as a consumer-grade tool or a feature outside the Workspace ecosystem — PHI transmitted through that tool is completely unprotected from a BAA standpoint.

Your organization must accept the BAA through the Google Workspace Admin console. It does not activate automatically. I've audited covered entities that had been paying for Enterprise-tier licensing for years without ever executing the BAA — leaving every email, video call, and shared document containing PHI exposed to potential HIPAA violation findings.

The Minimum Necessary Standard Applies to Video Calls Too

Even with a valid BAA and properly configured Google Meet environment, the minimum necessary standard under the Privacy Rule still applies. Your workforce must limit the PHI disclosed during video conferences to only what is necessary for the purpose of the call. Screen sharing, for example, can inadvertently expose patient records, billing information, or scheduling details that have nothing to do with the topic at hand.

This is a training issue, not a technology issue. Your HIPAA training and certification program should include specific guidance on telehealth etiquette, screen-sharing protocols, and how to handle recordings or transcripts that may contain PHI.

OCR Enforcement and the Post-PHE Landscape

During the COVID-19 Public Health Emergency (PHE), OCR exercised enforcement discretion for telehealth remote communications, allowing providers to use non-public-facing tools like Google Hangouts, Zoom (consumer version), and FaceTime without penalty. That discretion ended on May 11, 2023, when the PHE expired.

Since then, OCR has signaled a return to full enforcement. Organizations that relied on the PHE flexibility to justify using consumer-grade communication tools for PHI must have transitioned to compliant platforms by now. If your practice is still using tools without a BAA in place, you're operating in open violation of the Security Rule and the Privacy Rule.

OCR's enforcement priorities in 2024 include right of access, risk analysis failures, and — increasingly — the use of online tracking technologies and unsecured communication platforms. Don't assume telehealth falls off the radar.

Steps to Replace Google Hangouts in Your Compliance Program

If your organization previously relied on Google Hangouts or still references it in any policy, take these steps immediately:

  • Audit your communication tools. Identify every platform your workforce uses to discuss, transmit, or store PHI — including shadow IT tools staff may have adopted informally.
  • Execute the Google Workspace BAA. If you use Google Workspace, confirm through your Admin console that the BAA has been accepted and that only Covered Services are approved for PHI.
  • Update your risk analysis. Your risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) must account for telehealth and messaging platforms. If it doesn't, it's incomplete.
  • Revise your Notice of Privacy Practices. If you offer telehealth services, your Notice of Privacy Practices should reflect how PHI is handled during virtual encounters.
  • Retrain your workforce. Every workforce member — not just clinicians — needs to understand which tools are approved for PHI. HIPAA Certify's workforce compliance platform provides structured training that covers exactly these scenarios.

Don't Let a Deprecated Tool Create a Live Compliance Risk

The question "is Google Hangouts HIPAA compliant" should now serve as a diagnostic for your organization. If anyone on your team is still asking it, that tells you your policies, your training, and possibly your BAA coverage are out of date.

HIPAA compliance isn't a one-time event. It's an ongoing obligation that requires you to reassess tools, retrain staff, and update documentation every time the technology landscape shifts. Google Hangouts is gone. Make sure your compliance program has moved on too.