Signal is a secure communications platform that is similar in look and feel (and logo) to WhatsApp. In head-to-head comparisons between the two platforms, Signal frequently comes out on top for being the most secure and for not collecting user data. But does this make Signal HIPAA compliant?
Signal and WhatsApp have been around for a similar length of time, but the fortunes of the two platforms could not be further apart. According to Statistica, Signal currently has around 40 million users worldwide, while WhatsApp has around 2 billion users worldwide. Therefore, it is fifty times more likely that a contact is using WhatsApp rather than using Signal.
Nonetheless, Signal is regarded by security experts as being the most secure of the two platforms due to its open source software being more trustworthy, and due to WhatsApp sending user data to its parent company, Meta. It has previously been established that WhatsApp is not HIPAA compliant, but does the added security make Signal HIPAA compliant?
Is Signal HIPAA Compliant? Unfortunately Not.
One of the problems with being similar to WhatsApp is that Signal lacks the same capabilities required for any communications platform to be HIPAA compliant. The lack of capabilities includes (but are not limited to) automatic logoff, user authentication, audit controls, remote data deletion, and user termination when a member of the workforce leaves .
Because of the lack of capabilities – and despite not having access to the content of encrypted user messages – Signal will not enter into a Business Associate Agreement with a covered entity or other business associate. This makes it impossible for a healthcare organization to create, receive, maintain, or transmit ePHI via Signal – with one exception.
The Confidential Communications Requirement
Under §164.522(b) of the Privacy Rule, patients have the right to request confidential communications via a channel of their choice. Because of Signal’s superior security capabilities and features such as “self-destruct messages”, the platform is an ideal channel for an individual living in a hostile environment that wants – or needs – to keep health information private.
Covered entities are required to accommodate requests for confidential communications when they are reasonable. As Signal is a free to use VoIP platform, it would be unreasonable to decline such a request. However, it is advisable to inform the individual of the risks associated with using a non-compliant communication channel and document the warning before complying with the request.
Conclusion: Should Not be Used to Transmit ePHI
Because Signal does not have the capabilities to comply with the Security Rule, and because Signal will not enter into a Business Associate Agreement to comply with the Privacy Rule, Signal is not HIPAA compliant. Therefore the platform should not be used to transmit ePHI except for occasions when a patient requests confidential communication via Signal.
Members of a covered entity’s workforce need to be alerted to this exception during HIPAA training to avoid complaints potentially being made to HHS’ Office of Civil Rights by patients who have been unable to exercise their HIPAA rights. If your organization experiences challenges with making sure the message gets across to members of the workforce, you should seek expert compliance advice.