HIPAA Compliant Software Usage
Under HIPAA, any application or software company whose product “touches” (creates, receives, maintains, or transmits) protected health information (PHI) is considered to be a business associate. For HIPAA compliant software use, there must be technical and administrative safeguards to secure PHI that is transmitted, stored, received, maintained, or created through them. Additionally, there must be a signed business associate agreement between a covered entity and the business associate before the platform can be utilized in conjunction with PHI.
Just because applications and software have features that meet the standards of the HIPAA Privacy Rule and Security Rule does not guarantee HIPAA compliance. End-users are responsible for ensuring that they are using the platform in a HIPAA compliant manner.
Is Signal HIPAA Compliant: Security and Privacy
According to Signal, text messages, phone calls, and video calls are 100% encrypted between Signal users, and no private data is stored on their servers. However, there are other factors that must be considered.
The 100% encryption is only present when a message is sent between Signal app users. Android users can choose to make Signal their default messaging app, but messages and calls to individuals not using the app are not encrypted.
Furthermore, the setup process for Signal involves automated verification using a non-encrypted system. Phone numbers are stored in order to send messages and complete calls. The system also has the ability to send attachments that may not be fully protected.
Is Signal HIPAA Compliant: Business Associate Agreement
A careful search of the Signal website does not list any provisions for business associate agreements (BAAs). HIPAA rules and regulations clearly state that a BAA must be signed before PHI is transferred. Based upon that alone, Signal does not appear to be HIPAA compliant.
Except….
Because of the COVID-19 pandemic, HHS announced a “notification of enforcement discretion” designating a period of relaxed enforcement of many of the rules related to telehealth options, specifically regarding “non-public facing” remote communication products
A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication. Most of the products offer end-to-end encryption. Along with services like Zoom, iMessage, and Facebook Messenger, Signal was specifically named by the HHS Office for Civil Rights in an FAQ on March 20, 2020, as an example of a “non-public facing” service with encryption, individual user accounts, and password protection.
The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based on the latest facts and circumstances.
Currently, Signal appears to be allowed, but users should look for other HIPAA compliant methods for messaging and communications in preparation for the end of the public health emergency.