Is Signal HIPAA Compliant: Security and Privacy
According to Signal, text messages, phone calls, and video calls are 100% encrypted between Signal users, and no private data is stored on their servers. However, there are other factors that must be considered.
The 100% encryption is only present when a message is sent between Signal app users. Android users can choose to make Signal their default messaging app, but messages and calls to individuals not using the app are not encrypted.
Furthermore, the setup process for Signal involves automated verification using a non-encrypted system. Phone numbers are stored in order to send messages and complete calls. The system also has the ability to send attachments that may not be fully protected.
Is Signal HIPAA Compliant: Business Associate Agreement
A careful search of the Signal website does not list any provisions for business associate agreements (BAAs). HIPAA rules and regulations clearly state that a BAA must be signed before PHI is transferred. Based upon that alone, Signal does not appear to be HIPAA compliant.
Because of the COVID-19 pandemic, HHS announced a “notification of enforcement discretion” designating a period of relaxed enforcement of many of the rules related to telehealth options, specifically regarding “non-public facing” remote communication products
A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication. Most of the products offer end-to-end encryption. Along with services like Zoom, iMessage, and Facebook Messenger, Signal was specifically named by the HHS Office for Civil Rights in an FAQ on March 20, 2020, as an example of a “non-public facing” service with encryption, individual user accounts, and password protection.
The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based on the latest facts and circumstances.
Currently, Signal appears to be allowed, but users should look for other HIPAA compliant methods for messaging and communications in preparation for the end of the public health emergency.