Google Hangouts is not HIPAA compliant, and it no longer exists as an active product. Google retired Classic Hangouts and replaced it with Google Chat, which can support HIPAA compliance, but only under a paid Google Workspace account with a signed Business Associate Agreement (BAA) and specific security configurations in place.
If you’re a healthcare provider or organization that was using Hangouts, here’s what you need to know about the transition and what it takes to use Google’s current messaging tools with protected health information (PHI).
Google Hangouts Has Been Retired
Google officially transitioned users away from Classic Hangouts, replacing it with Google Chat as the default messaging service. Google Chat handles text-based messaging, while Google Meet covers video calls. These are the two tools that now fill the role Hangouts once played. Any search for Hangouts’ compliance status is effectively a question about whether Google Chat and Meet can meet HIPAA requirements, and the answer depends entirely on how your organization sets them up.
Free Gmail Accounts Are Never Compliant
If you’re using a free @gmail.com account, Google will not sign a BAA with you, which means you cannot use any Google communication tool for PHI. A BAA is a legal contract required by HIPAA that makes Google responsible for safeguarding health information it processes on your behalf. Without one, any exchange of patient data through Google’s services is a HIPAA violation, regardless of how secure the underlying technology might be.
HIPAA compliance through Google requires a paid Google Workspace subscription. Organizations need to contact their Google account manager to execute a BAA, which then covers specific Workspace services (including Chat and Meet) that Google designates as eligible.
What a BAA Actually Covers
Google’s BAA doesn’t blanket every feature in Workspace. It applies only to “Covered Services,” a specific list Google maintains and updates. Google Chat and Google Meet are on that list, but the BAA alone doesn’t make your organization compliant. Google’s own documentation is clear: the organization that signs the BAA is responsible for building a compliant solution using the approved services. Signing the agreement is step one of a much longer process.
Security Built Into Google’s Infrastructure
Google does provide strong baseline security for data moving through its systems. All data in transit between your device and Google’s servers is encrypted using TLS, implemented through BoringSSL, Google’s open-source TLS library. The cryptographic core is validated to the federal FIPS 140-3 Level 1 standard.
Once data is inside Google’s network, it’s further protected by a system called ALTS, which authenticates and encrypts traffic between Google’s internal services. ALTS uses AES-128-GCM encryption by default for service-to-service traffic, with AES-256 encryption at the lowest storage layers. Where available, Google also offloads encryption to specialized network hardware for added performance and security.
This encryption is robust, but encryption alone does not satisfy HIPAA. The law requires a combination of administrative, technical, and physical safeguards that go well beyond encrypting messages in transit.
Admin Settings That Must Be Configured
Google’s own HIPAA implementation guide outlines a series of administrative controls that Workspace admins need to enable before Chat can be used with PHI. These aren’t optional best practices. They’re the configurations that close the gap between Google’s baseline security and actual HIPAA compliance.
- Limit who can use Chat. Admins can enable Chat selectively for specific organizational units rather than the entire domain, keeping PHI-related messaging confined to authorized staff.
- Disable third-party apps. Chat apps and bot integrations should be turned off for users who handle PHI. These integrations can create unmonitored data flows that fall outside your BAA.
- Set up data loss prevention (DLP) rules. DLP rules can scan outgoing messages for patterns that look like PHI (Social Security numbers, medical record numbers) and block or flag them before they leave controlled channels.
- Restrict external sharing. Default file visibility should be set to “Private to the owner,” and external sharing of documents, calendars, and Shared Drives should be locked down for anyone handling patient information.
- Enable audit logging. Admin and user activity logs should be active and ideally forwarded to a centralized security monitoring system for alerts and incident tracking.
These settings need to be documented, reviewed, and maintained. Google recommends using formal change management for Chat policies, DLP rules, and retention settings, with documented approvals for any modifications.
How to Handle PHI in Google Chat
Even with all the right settings enabled, how your staff actually uses Chat matters. The safest approach is to minimize PHI in messages as much as possible. Use patient IDs or case numbers instead of full names, dates of birth, or diagnosis details when communicating through Chat. Never put PHI in space names, status messages, or conversation titles, since these are visible in ways that may bypass your access controls.
When files containing PHI need to be shared, use Google Drive links with the most restrictive permissions possible rather than pasting raw patient data directly into a message. Care coordination conversations should happen in private, membership-controlled spaces where you review who has access on a regular basis.
Google also notes that new members added to Chat Spaces can see previous chat history, which means any PHI shared in a space becomes visible to anyone granted access later. Users should delete chat messages containing PHI when they’re no longer needed for the conversation.
Device and Access Requirements
HIPAA compliance extends to every device that accesses PHI. Any laptop or mobile phone used to access Google Chat must be enrolled in your organization’s device management system. At minimum, you need to enforce screen locks, full-disk encryption, and up-to-date operating system patches on all endpoints.
Session timeouts should be configured so that inactive devices require reauthentication before accessing sensitive tools. Admin access to Workspace should follow the principle of least privilege, with separate roles for configuration, investigations, and approvals. Google’s implementation guide recommends reviewing these access privileges quarterly.
Your organization also needs an incident response plan that specifically addresses Chat. This means defining what triggers an investigation (a DLP alert, a suspicious login), who triages it, how affected accounts get locked down, and how evidence is preserved for potential breach notification requirements.
The Bottom Line on Compliance
Google Chat and Meet can be used in a HIPAA-compliant way, but only within a paid Google Workspace account, with a signed BAA, and with a substantial set of administrative and technical controls properly configured and maintained. The free consumer version of any Google product is never an option for PHI. If your organization was previously using Hangouts for patient communication without these safeguards, that use was not compliant, and migrating to Chat without implementing the full set of controls won’t fix the problem.