Is WhatsApp HIPAA Compliant?

by | Jul 3, 2023

WhatsApp is a popular cross-platform video, messaging, and VoIP service. Since 2016, the service has supported end-to-end encryption and, since 2021, encrypted backups. These capabilities fulfil key requirements of the HIPAA Security Rule, but are they enough to make WhatsApp HIPAA compliant?

The answer to the question is WhatsApp HIPAA compliant is “No”. Despite the service having suitable encryption and backup capabilities, it lacks several other capabilities required by the Technical Safeguards of the HIPAA Security Rule (§164.312) such as user authentication and audit controls.

These shortcomings mean anybody with access to a device onto which WhatsApp has been installed (i.e., a workstation with WhatsApp for Desktop) can use the service without there being a record of who the person was, who they communicated with, and what information was disclosed.

Additionally, electronic PHI disclosed in WhatsApp communications cannot be remotely deleted if a mobile device is lost or stolen, and – because business WhatsApp accounts are linked to a phone number – there is no way to terminate user access by ID when a member of the workforce leaves.

Is WhatsApp HIPAA Compliant if Meta Signs a BAA?

Some software service providers claim it is not necessary for them to comply with HIPAA and sign a Business Associate Agreement (BAA) if they cannot access electronic PHI. However, HHS has issued guidance (see Question 2) that a software service provider with “no view” access is still subject to HIPAA if they create, receive, store, or transmit electronic PHI, and therefore required to sign a BAA.

Meta – WhatsApp’s parent company – will not sign a HIPAA Business Associate Agreement. This is because its Business Terms state “we make no representations or warranties that our business services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”

In this respect, Meta/WhatsApp does not comply with the Privacy Rule requirement (in §164.504(e)) to “obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person”. Therefore, WhatsApp should not be used to create, receive, maintain, or transmit electronic PHI.

Can WhatsApp Ever be Used in Healthcare Environments?

Despite WhatsApp failing to meet the requirements to be HIPAA compliant, there are two scenarios in which WhatsApp can be used in healthcare environments. The first is when the service is used to send and receive communications that do not include electronic PHI – for example, to arrange, confirm attendance at, or provide feedback on HIPAA training.

The second scenario is when a patient exercises their right under §164.522(b) to request confidential communications via WhatsApp. Due to recently added privacy enhancements such as fingerprint lock, view once, and disappearing messages, patients can ensure WhatsApp communications about sensitive health issues remain confidential in hostile households.

However, before agreeing to a patient’s request of this nature (which must be made in writing), healthcare providers should warn patients of the risks of using WhatsApp, document the warnings, and document that the patient wishes to proceed with confidential communications via WhatsApp despite the warnings that the service is not HIPAA compliant.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy