Is WhatsApp HIPAA Compliant?
The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations working in healthcare must safeguard protected health information (PHI). There must be physical, technical, and administrative safeguards in place to protect PHI. Efficient business processes, especially means of communication, are important to any organization. This has led many organizations to use SMS messaging as well as other text messaging platforms to communicate, making people wonder about WhatsApp compliance.
WhatsApp has increased in popularity since they added end-to-end encryption to their service, but is WhatsApp HIPAA compliant?
Why Isn’t WhatsApp HIPAA Compliant?
No messaging app can be considered HIPAA compliant since safeguards are not standard for the apps. In essence, although many messaging apps allow users to set stricter controls, the controls can be reversed by the users. To be truly HIPAA compliant those settings would have to be built into the apps, with the inability to change the settings.
To be HIPAA compliant safeguards must ensure the confidentiality, integrity, and availability of PHI. As part of the law, access controls must be in place. Access controls limit who can access what information. In this regard, WhatsApp is not HIPAA compliant since the app is not password protected. Therefore anyone that has access to the device the app is installed on, will be able to access the app. This risks the confidentiality of PHI since messages can be easily accessed. In addition, notifications of new messages popup on locked screens, giving anyone the ability to view at least part of the message. Although that feature can be turned off, many users aren’t aware of that fact.
In accordance with HIPAA, there must also be audit controls. Audit controls maintain records of communications. WhatsApp messages are saved to the device, however, if the app is deleted, or a user switches devices, the messages do not transfer over. Messages and attachments sent through WhatsApp are not backed up. Once a message is received, WhatsApp servers do not store the information, undelivered messages are only stored for 30 days until they are deleted.
Additionally many users have WhatsApp installed on their personal devices. Employees that no longer work for an organization would need to have their WhatsApp wiped. Currently, there is no way to do so remotely, devices would have to be manually wiped. Even if a user agreed to do so, it would be difficult to determine which data should be deleted, and users would be unlikely to agree to wiping all of their messages.
Vendors that have access to PHI must sign a business associate agreement (BAA). Since WhatsApp uses end-to-end encryption it is unclear as to whether or not they would need to sign a business associate agreement. Messaging services that have a key to decrypt messages would need to sign a BAA as they have means to access data. However, WhatsApp does not divulge if they have the means to decrypt messages.
WhatsApp is not HIPAA compliant and cannot be used to transmit PHI. It does not have the proper safeguards in place to protect the sensitive information. Healthcare organizations may use WhatsApp to communicate basic information or de-identified PHI, but to maintain HIPAA compliance, PHI cannot be sent using the messaging platform.
Need Assistance with HIPAA Compliance?
Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our software will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.