Is Signal HIPAA Compliant?

by | Jul 17, 2023

Signal is a secure communications platform that is similar in look and feel (and logo) to WhatsApp. In head-to-head comparisons between the two platforms, Signal frequently comes out on top for being the most secure and for not collecting user data. But does this make Signal HIPAA compliant?

Signal and WhatsApp have been around for a similar length of time, but the fortunes of the two platforms could not be further apart. According to Statistica, Signal currently has around 40 million users worldwide, while WhatsApp has around 2 billion users worldwide. Therefore, it is fifty times more likely that a contact is using WhatsApp rather than using Signal.

Nonetheless, Signal is regarded by security experts as being the most secure of the two platforms due to its open source software being more trustworthy, and due to WhatsApp sending user data to its parent company, Meta. It has previously been established that WhatsApp is not HIPAA compliant, but does the added security make Signal HIPAA compliant?

Is Signal HIPAA Compliant? Unfortunately Not.

One of the problems with being similar to WhatsApp is that Signal lacks the same capabilities required for any communications platform to be HIPAA compliant. The lack of capabilities includes (but are not limited to) automatic logoff, user authentication, audit controls, remote data deletion, and user termination when a member of the workforce leaves .

Because of the lack of capabilities – and despite not having access to the content of encrypted user messages –  Signal will not enter into a Business Associate Agreement with a covered entity or other business associate. This makes it impossible for a healthcare organization to create, receive, maintain, or transmit ePHI via Signal – with one exception.

The Confidential Communications Requirement

Under §164.522(b) of the Privacy Rule, patients have the right to request confidential communications via a channel of their choice. Because of Signal’s superior security capabilities and features such as “self-destruct messages”, the platform is an ideal channel for an individual living in a hostile environment that wants – or needs – to keep health information private.

Covered entities are required to accommodate requests for confidential communications when they are reasonable. As Signal is a free to use VoIP platform, it would be unreasonable to decline such a request. However, it is advisable to inform the individual of the risks associated with using a non-compliant communication channel and document the warning before complying with the request.

Conclusion: Should Not be Used to Transmit ePHI

Because Signal does not have the capabilities to comply with the Security Rule, and because Signal will not enter into a Business Associate Agreement to comply with the Privacy Rule, Signal is not HIPAA compliant. Therefore the platform should not be used to transmit ePHI except for occasions when a patient requests confidential communication via Signal.

Members of a covered entity’s workforce need to be alerted to this exception during HIPAA training to avoid complaints potentially being made to HHS’ Office of Civil Rights by patients who have been unable to exercise their HIPAA rights. If your organization experiences challenges with making sure the message gets across to members of the workforce, you should seek expert compliance advice.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy