Is WhatsApp HIPAA Compliant?

by

WhatsApp is not HIPAA compliant, and should not be used for sending or receiving Protected Health Information (PHI) except for when complying with patients’ requests to receive communications via a channel of their choice.

WhatsApp is not HIPAA compliant because the popular messaging service lacks the controls required for ensuring the confidentiality, integrity, and availability of PHI. It is not possible to make WhatsApp HIPAA compliant by integrating additional controls. In addition, WhatsApp’s owner – Meta – will not enter into Business Associate Agreements with covered entities.

While this means organizations cannot use WhatsApp for healthcare activities such as billing, exchanging patient information, and receiving test results, it does not mean it is not possible to use WhatsApp in a healthcare environment. Potential uses for WhatsApp can include organizing workforce schedules, policy announcements, and following up on HIPAA training.

Healthcare providers are also required by §164.522(b) of the Privacy Rule to accommodate patients’ reasonable requests to receive confidential communications via a channel of their choice. If a patient were to request confidential communications via WhatsApp, it would be unreasonable for the healthcare provider to deny the request – even if it meant sending and receiving PHI via a non-compliant channel of communication.

Can Healthcare Providers Send Non-Compliant Communications?

The Privacy Rule clause is one of the few occasions when it is permitted to send PHI via a non-compliant channel of communication (others include emergency situations and when a valid authorization exists to send PHI to a third party via non-compliant channels of communication). In addition, HHS has published guidance about what to do in such circumstances.

The guidance allows healthcare providers to send non-compliant communications provided they “apply reasonable safeguards when doing so”. In the context of making communications via WhatsApp HIPAA compliant, reasonable safeguards could include:

  • Implementing access controls on devices used to send WhatsApp messages,
  • Ensuring PHI remaining on a device after a message has been sent is deleted, and
  • Limiting PHI disclosed in a WhatsApp message to the minimum necessary to achieve the purpose of the disclosure.

If a patient has initiated a conversation via WhatsApp, and the conversation results in the receipt of PHI, healthcare providers must transfer the PHI to a secure record set and delete it from the device on which it was received. It is also advisable to obtain a written “affirmative opt-in” from the patient to continue communicating via WhatsApp regardless of whether future communications include uses and disclosures of PHI.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA