Use Google Voice for UCSF Business

Patrick Phelan's picture

Google Voice (GV) provides many convenient telephony features that empowers the mobile workforce to communicate more effectively. However, due to regulatory requirements, it must not be used for UCSF business.

The primary issue is that the all user-created data is stored by Google, with whom UCSF does not have a HIPAA Business Associate Agreement (BAA), UC Data Security Appendix, or contract which satisfies the variety of regulatory and compliance requirements governing UCSF.

This presents the risk that UCSF data could be breached, and UCSF would have no legal recourse.


Caveats to using GV for UCSF Business


    Under certain limited circumstances, it may be acceptable to use GV where it would only be used for fully public, non-internal/protected/confidential data. This would require an exception to UCSF Minimum Security Standards and would be reviewed on a case-by-case basis.

    In these situations, GV should be configured to retain as little data as possible:

    • Do not use your personal Google account for UCSF business.
    • Disable automatic transcription of voicemail messages.
    • Delete call logs (voicemail, SMS, recorded, placed, received and missed) and empty trash within GV frequently (weekly, at a minimum).
    • Delete voicemails left on Google Voice after you have listened to them.
    • Do not forward SMS, recorded phone calls, or transcribed voicemails from GV to anywhere.