WhatsApp is a popular cross-platform video, messaging, and VoIP service. Since 2016, the service has supported end-to-end encryption and, since 2021, encrypted backups. These capabilities fulfil key requirements of the HIPAA Security Rule, but are they enough to make WhatsApp HIPAA compliant?
The answer to the question is WhatsApp HIPAA compliant is “No”. Despite the service having suitable encryption and backup capabilities, it lacks several other capabilities required by the Technical Safeguards of the HIPAA Security Rule (§164.312) such as user authentication and audit controls.
These shortcomings mean anybody with access to a device onto which WhatsApp has been installed (i.e., a workstation with WhatsApp for Desktop) can use the service without there being a record of who the person was, who they communicated with, and what information was disclosed.
Additionally, electronic PHI disclosed in WhatsApp communications cannot be remotely deleted if a mobile device is lost or stolen, and – because business WhatsApp accounts are linked to a phone number – there is no way to terminate user access by ID when a member of the workforce leaves.
Is WhatsApp HIPAA Compliant if Meta Signs a BAA?
Some software service providers claim it is not necessary for them to comply with HIPAA and sign a Business Associate Agreement (BAA) if they cannot access electronic PHI. However, HHS has issued guidance (see Question 2) that a software service provider with “no view” access is still subject to HIPAA if they create, receive, store, or transmit electronic PHI, and therefore required to sign a BAA.
Meta – WhatsApp’s parent company – will not sign a HIPAA Business Associate Agreement. This is because its Business Terms state “we make no representations or warranties that our business services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”
In this respect, Meta/WhatsApp does not comply with the Privacy Rule requirement (in §164.504(e)) to “obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person”. Therefore, WhatsApp should not be used to create, receive, maintain, or transmit electronic PHI.
Can WhatsApp Ever be Used in Healthcare Environments?
Despite WhatsApp failing to meet the requirements to be HIPAA compliant, there are two scenarios in which WhatsApp can be used in healthcare environments. The first is when the service is used to send and receive communications that do not include electronic PHI – for example, to arrange, confirm attendance at, or provide feedback on HIPAA training.
The second scenario is when a patient exercises their right under §164.522(b) to request confidential communications via WhatsApp. Due to recently added privacy enhancements such as fingerprint lock, view once, and disappearing messages, patients can ensure WhatsApp communications about sensitive health issues remain confidential in hostile households.
However, before agreeing to a patient’s request of this nature (which must be made in writing), healthcare providers should warn patients of the risks of using WhatsApp, document the warnings, and document that the patient wishes to proceed with confidential communications via WhatsApp despite the warnings that the service is not HIPAA compliant.