Google Hangouts Died — But the Compliance Question Didn't

A behavioral health clinic in Oregon called me last year after a therapist conducted three months of patient sessions over what she called "Google Hangouts." She'd been using Google Chat and Google Meet interchangeably, convinced they were the same HIPAA-safe tool her old office had approved years ago. They weren't. And that confusion put hundreds of patients' protected health information at risk.

So let me answer the question directly: is Google Hangouts HIPAA compliant? No. Google Hangouts was officially discontinued in November 2022. It no longer exists as a product. You cannot use it, configure it, or sign a Business Associate Agreement for it. If someone on your team still references "Hangouts" as a communication tool for patient interactions, you have an immediate compliance problem that needs attention today.

But the real question behind this search is bigger — and more important. People want to know whether Google's current tools can be used in a HIPAA-compliant way. That answer is more nuanced, and getting it wrong can cost your organization hundreds of thousands of dollars.

What Google Actually Offers in 2026 (and What Replaced Hangouts)

Google replaced Hangouts with two separate products: Google Chat (for messaging) and Google Meet (for video conferencing). Both live inside Google Workspace, the paid business suite. This distinction matters enormously for HIPAA compliance.

Google's consumer products — the ones you access with a personal Gmail account — are not covered by any Business Associate Agreement. Google has been explicit about this. Only Google Workspace paid plans are eligible for a BAA, and even then, only specific services within Workspace are included as "Covered Services" under that agreement.

According to Google's service-specific terms, the covered services eligible under a BAA include Google Meet, Google Chat, Gmail, Google Drive, Google Docs, Sheets, Slides, Calendar, and several others. But here's the catch — signing the BAA alone doesn't make you compliant.

A BAA Is Necessary. It's Not Sufficient.

I've reviewed dozens of organizations that signed Google's BAA and then assumed they were done. They weren't even close. A Business Associate Agreement is one requirement under the HIPAA Privacy and Security Rules. It doesn't configure your environment. It doesn't train your workforce. It doesn't set access controls or audit logging.

The Office for Civil Rights has made this point repeatedly through enforcement. In its published resolution agreements, OCR consistently finds that organizations failed not because they lacked a BAA, but because they didn't implement the administrative, physical, and technical safeguards required to actually protect ePHI on the platforms they used.

The $1.5 Million Mistake: Treating a Platform as a Compliance Strategy

In 2023, OCR settled with Banner Health for $1.25 million following a breach that exposed 2.81 million individuals' ePHI. The failures weren't exotic. They included insufficient access controls and a lack of system activity reviews — exactly the kind of safeguards that organizations skip when they assume the platform handles compliance for them.

Google Workspace gives you the tools to be compliant. Encryption in transit and at rest, admin-level access controls, audit logs, data loss prevention settings. But your IT team — or your managed service provider — has to actually configure those controls. And your workforce has to be trained on how to use the tools without exposing PHI.

This is where the old "Hangouts" mentality gets dangerous. Staff who used Hangouts casually for years often carry that same casual attitude into Google Meet or Google Chat. They share screens without checking who's on the call. They paste patient information into group chats. They join from personal devices without any mobile device management.

What You Must Do Before Using Google Workspace for PHI

If your organization wants to use Google Workspace in a HIPAA-compliant manner, here's the real checklist — not the marketing version.

  • Sign the BAA. Log into your Google Workspace Admin Console. Navigate to Account > Legal and compliance. Accept the BAA. If you're on a consumer Gmail account, stop — you cannot proceed.
  • Restrict services. Disable any Google services not covered under the BAA. If staff can access uncovered services and paste PHI there, you have a violation.
  • Configure access controls. Enforce two-factor authentication for every user. Set session timeouts. Restrict external sharing on Drive and Chat.
  • Enable audit logging. Turn on Google Workspace audit logs and review them regularly. The HIPAA Security Rule at 45 CFR § 164.312(b) requires this.
  • Encrypt endpoints. Google encrypts data in transit and at rest on its servers. But if your workforce accesses ePHI from unencrypted laptops or personal phones, the chain breaks.
  • Train every person who touches PHI. This isn't optional. It's required under 45 CFR § 164.530(b). And it needs to be specific to the tools your team actually uses.

For organizations with staff accessing Google Workspace from home — which is most healthcare organizations now — our HIPAA training for remote healthcare workers covers exactly these scenarios with practical, role-specific guidance.

Can Google Meet Be Used for Telehealth?

Yes — but only under the right conditions. Google Meet, as part of a properly configured Google Workspace account with a signed BAA, can be used for telehealth sessions that involve PHI. Google encrypts Meet calls in transit, and recordings stored in Google Drive are encrypted at rest.

However, you need policies governing how clinicians use Meet. Can they record sessions? Where are recordings stored? Who has access? What happens if a patient joins from a shared device? These aren't hypothetical questions — they're the exact scenarios that lead to breaches.

During the COVID-19 public health emergency, OCR issued enforcement discretion allowing the use of non-compliant platforms for telehealth. That discretion ended in May 2023. There is no grace period in 2026. If you're using any video tool without a BAA and proper safeguards, you're exposed.

What About Google Chat for Patient Communication?

Google Chat — the messaging tool inside Workspace — is covered under the BAA. But I rarely recommend it for direct patient communication. Patients don't typically have Google Workspace accounts, which means you'd need to manage external access carefully. Most organizations are better served by a dedicated patient messaging platform or a HIPAA-compliant portal.

For internal team communication about patients, Google Chat can work — if your data loss prevention rules are set, external sharing is locked down, and every user understands what they can and can't share. Our Working from Home & PHI course walks through messaging scenarios like these step by step.

The Mobile Device Problem Nobody Talks About

Here's what I see constantly: a clinic signs Google's BAA, configures the admin console correctly, trains the front desk staff — and then a physician checks Google Chat on a personal Android phone with no passcode, automatic screen lock disabled, and three kids who use the same device to watch YouTube.

Mobile devices are the most common gap in remote and hybrid healthcare environments. The HIPAA Security Rule requires device-level safeguards: encryption, remote wipe capability, access controls. If your workforce accesses ePHI through Google Workspace on mobile devices, you need a mobile device management policy and corresponding training.

Our Mobile Devices & PHI training was built specifically for this scenario. It covers smartphones, tablets, and the real-world situations that lead to reportable breaches.

Quick Answer: Is Google Hangouts HIPAA Compliant?

No. Google Hangouts was discontinued in 2022 and cannot be used for any purpose involving PHI. Google does not offer a BAA for Hangouts, and the service no longer functions. If your organization needs Google-based communication tools that can support HIPAA compliance, you must use Google Workspace (paid), sign the BAA through the Admin Console, configure all required security settings, and train your workforce on proper use. The platform alone does not equal compliance — your policies, configurations, and people make the difference.

Stop Searching for a Compliant Tool. Start Building a Compliant Organization.

The question "is Google Hangouts HIPAA compliant" tells me something important about the person asking it. They're looking for a tool that solves compliance for them. That tool doesn't exist. Not from Google, not from anyone.

HIPAA compliance is an organizational responsibility. The right platform — properly configured, properly governed, and supported by a trained workforce — is one piece of a much larger puzzle. The covered entity bears the risk. OCR doesn't fine Google when your therapist shares a screen with PHI visible to the wrong participant. They fine you.

If your team is using any communication tool to discuss, transmit, or store PHI, start with the fundamentals. Get the BAA signed. Configure the safeguards. And invest in workforce training that's specific to how your people actually work — at home, on mobile devices, across platforms. Browse our full HIPAA training catalog to find the right fit for every role in your organization.