Back to Blog

Is Google Meet HIPAA Complaint? Here's How to Create a Self-hosted Alternative with Convox

By Brian Galura -

Is Google Meet HIPAA Complaint? Here’s How to Create a Self-hosted Alternative with Convox

HIPAA act (1996) – since the time it was enacted – has been phenomenal legislation for healthcare organizations and the third-parties related to the medical field. Becoming HIPAA compliant can save doctors, optometrists, pharmacies, dentists, insurance service providers, lawyers, MSPs, and hospitals from lawsuits, data breaches, and other troubles.

Now that adhering to HIPAA standards (or similar location-specific law) is a compulsion, you must be looking for a compliant video conferencing option and wondering if Google Meet is the one. We have answered the question in this article and have introduced a better alternative in this article. Have a look.

Is Google Meet HIPAA Compliant?

Yes, and no.

No, because Google Meet is NOT HIPAA-compliant by default.

Suppose you use this video-conferencing tool without adopting it in a suggested manner and communicate with your clients, patients, or someone sharing his/her protected health information (PHI) with you to receive some services.

In this scenario, you are not fully HIPAA compliant with Google Meet in this scenario. It may lead to troubles later on.

Yes, if you modify the default settings and complete a few more steps, you can make Google Meet work HIPAA-compliant. How? Well, read the next section of this article to understand the same.

Can you use Google Meet in a HIPAA-compliant way?

Yes, you can. Just follow these steps:

  • First, you must become a Google Workspace user. It is a premium product, and you must opt for a pricing plan (or start a free trial) to begin with it.
  • You must sign a BAA (Business Associate Addendum) with Google to begin your journey toward becoming a HIPAA-compliant organization/individual. Here are its terms.
  • Update various Google Workspace or Hangouts Meet settings, as explained in the next section.

How to set up Google Meet for HIPAA compliance?

Now that you are a Google workspace user with BAA signed, you just need to take a few more steps to become a HIPAA-compliant Google Meet user. Steps are:

  • Make Google Meet your default option for digital video meet-ups in the Google workspace. Do it from Google Calendar > Settings > Event Settings and select the last checkbox in the section ‘Automatically add Google Meet Video Conferences to events I create.’ Google Calendar

  • You can (optionally) choose to allow session recording for the meeting owners.

  • Enable Private Invites only. It will ensure that your meeting with the patient (or the owner of PHI) is fully private, and no public attendee can access it just because he somehow gained access to the meeting link.

  • If your calendar is public, make sure to display the meeting status (e.g., busy) rather than showcasing full meeting details to every visitor/viewer.

Besides completing the above steps, ensure that you appropriately use Google Meet and follow all norms specified in the compliance.

What makes Google Meet a Less Preferred Choice for HIPAA

Though we can make Google’s video-conferencing software follow all rules and settings, it still does not make sense for most healthcare (or related) businesses to use Meet. Reasons are -

  • It is not self-hosted, which means you have limited control over the meetings and meeting data. Adding custom features is not possible in this case.
  • Signing up for Google Workspace is necessary. Now, users must pay more while using the features which are almost identical to G-suite. Therefore, Google Workspace, with HIPAA Included Functionality for its various tools, including Google Meet, is costlier.
  • Most businesses wish to host their PHI data in self-hosted storage instead of using Google Cloud.

Why use NextCloud + Convox as a Google Meet alternative?

Till now, you must have understood that Google Meet is neither the best nor the free option for your HIPAA-compliant setup. So, let us discuss a more capable alternative: NextCloud configured with Convox.

What makes the duo the best Google Meet alternative is the fact that you will be able to configure a self-hosted, more secure, and more flexible environment using the NextCloud + Convox. Here is a quick overview of the functionalities both solutions will enable for you:

Convox

It is an easy-to-configure PaaS solution that allows you to add your infrastructure. You can add your server (AWS, Microsoft Azure, DigitalOcean, or Google Cloud).

Self-hosting your Cloud infrastructure on Convox is a good strategy because the PaaS platform is HIPAA compliant. From audit trials to secrets management, encryption, role-based access control, and 2FA - there is a lot that helps you build a HIPAA-compliant environment with its help.

NextCloud

NextCloud is an open-source file-sharing and collaborating solution that lets remote teams function together. Emailing, contact book, calendar, file sharing, calls, chats, collaborating on files, task management, file synchronization, and web meetings.

As the solution lets you leverage full data encryption, group management, change tracking, and other features essential for complying with HIPAA.

When used with Convox in your AWS or self-hosted Cloud instance, it will cost you much less than Google Workspace while enabling multiple benefits over Google Meet.

Alternatively, you can try Jitsi Meet. It is another self-hosted solution that allows video conferencing and comes with an E2EE feature. However, becoming HIPAA compliant is a tough task with it too. Here’s how to do it.

Creating a Self-hosted Google Meet alternative with Convox

Note: We are going to configure NextCloud on AWS and expect that you complete the AWS deployment steps beforehand. Please follow the AWS integration guide and AWS deployment guide in case you are just getting started with Convox.

In Convox CLI, for your AWS instance, run the following commands:

  1. Install the NextCloud in your Cloud environment.

sudo snap install nextcloud

  1. Create an admin account and set its credentials for future use.

sudo nextcloud.manual-install <admin_uname> <admin_pwd>

  1. The accepted domain for NextCloud is localhost by default. So, you must add your custom domain to its trusted domains list.

sudo nextcloud.occ config:system:get trusted_domains sudo nextcloud.occ config:system:set trusted_domains 1 –value=

  1. Set a memory limit for PHP program execution. 512 MB is ideal (minimum).

sudo snap set nextcloud php.memory-limit=512M

  1. If you wish to run cron jobs, such as mailbox auto-refresh, RSS feed updation, etc. (which is recommended), you should set an interval for automated execution of the background jobs.

sudo snap set nextcloud nextcloud.cron-interval=10m # Default: 15m

  1. After following the above steps, NextCloud will work on your custom domain. However, if your domain is not SSL-enabled, consider getting an SSL certificate. You can go for Let’s Encrypt.

  2. Now, Log in to your NextCloud dashboard. Click on your Profile icon and select Apps as your option. Under the Disabled Apps, you will see apps ‘Default encryption module’ and ‘External Storage Support.’ Enable these two apps. NextCould Dashboard

  3. Go to Administration > Security > Server-side encryption and enable server-side encryption using the default encryption module.

  4. Next, define your policy for your S3 bucket and go to your AWS IAM dashboard, thereafter. From this dashboard, you can edit your policy, review it, and apply it.

  5. Create an IAM user and configure the AWS S3 folder from the dashboard.

That’s it. Your HIPPA-compliant Google Meet alternative setup is ready to use.

Conclusion

Though it is possible to have a HIPAA-compliant Google Meet on board after altering a few settings, Google adding this solution to Google Workspace has made it a costly pick for small organizations (and a less flexible one for enterprises). So, a self-hosted solution like NextCloud or Jitsi makes a much better choice.

Further, you must also ensure that you configure your collaboration or video conferencing tool on a cloud, hosted on a HIPAA-compliant platform like Convox.

We hope the article walked you through all the needed steps required to configure the self-hosted Google Meet alternative, NextCloud. Now you can move to the next point in your checklist while on your journey to becoming HIPAA-compliant.