Is Facebook Messenger HIPAA compliant? Could it be used by healthcare organizations as the messaging service for sending protected health information (PHI) without breaking HIPAA Rules?
A lot of physicians and nurses use chat platforms for communication, however is it appropriate to use these platforms for communicating PHI? Facebook Messenger is one of the most common chat platforms. But HIPAA covered entities shouldn’t use Facebook Messenger to send PHI without knowing if it is HIPAA compliant. Read this article first.
Any service that is used to send PHI should integrate security controls to make sure data are not intercepted in transit. One way to do this is to encrypt messages. Numerous chat platforms, Facebook Messenger included, encrypt information in transit, which means this part of HIPAA compliance is satisfied. However, Facebook Messenger’s encryption feature is optional and users must choose to enable it. So long as that setting has been turned on, viewing of the messages is limited to the sender and receiver only. Having said that, HIPAA compliance is not just about encrypting information in transit.
Access and authentication controls must be in place to guarantee only authorized persons can gain access to the program. Since Facebook Messenger users have no need to login every time they view messages on the mobile app, it is possible that unauthorized persons could view the messages, if, for example, a mobile phone was lost or stolen. Hence, there must be additional security controls when using apps like Facebook Messenger so that it could not be used by others in case of loss or theft.
HIPAA-covered entities need to ensure FB messenger has an audit trail. Any PHI delivered via a chat messaging platform should be retained. That means, certain hardware, software or procedural systems must be available to make sure any activity affecting PHI can be examined. It is hard to retain an audit trail on Facebook Messenger because of the lack of such system. In addition, no controls on FB messenger can stop messages from being removed by users.
The HIPAA Conduit Exception permits HIPAA-covered entities to deliver information by way of certain services even without a business associate agreement. For instance, a BAA is not required with the U.S. Postal Service or an Internet Service Provider (ISP). Those entities are considered as conduits.
However, the HIPAA Conduit Exception does not include cloud service providers. HHS says on its website, “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”
Facebook, as a result, should sign a BAA with a HIPAA-covered entity prior to using Facebook Messenger for communicating PHI. However, as of this writing, Facebook is not ready to sign yet a BAA for Facebook Messenger.
There is a messaging service called Workplace by Facebook that businesses can use to communicate internally. Is it HIPAA compliant? It is stated in The Workplace Enterprise Agreement under its prohibited data section that “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”
In summary, Facebook Messenger not HIPAA compliant because it operates without a BAA, and it does not have the appropriate audit and access controls. If you wish to start using a chat program for sharing PHI, the best option is to use a HIPAA-compliant messaging service that is developed particularly for the healthcare business. One example is TigerText. These healthcare text messaging services integrate all the required controls that make sure PHI can be delivered safely, and has audit controls, access controls and full end-to-end encryption.