Signal is not HIPAA compliant despite being an open-source messaging platform that encrypts all messages, calls, and media. From a technical standpoint, Signal’s encryption model provides strong privacy and security features that are important components of HIPAA’s requirements for electronic communications – but this is not enough to make Signal HIPAA compliant.
The reason Signal is not HIPAA compliant is that Signal only offers its services “per-user” and each user must register with a separate phone number. There is no option for business users to share a platform and therefore there are no administrative controls to assign unique user IDs, track user activity, or remove users from the platform when they leave as required by §164.308(a)(3)(ii)(C) of the Security Rule.
Other capabilities lacking from the Signal platform include automatic logoff, centralized backup (all messages are stored on the user’s device), and remote data deletion in the event of a device being lost or stolen. Therefore, although encryption ensures only the sender and recipient of a message can view its contents – and not even Signal can access the content – Signal is not HIPAA compliant.
Because of these issues, Signal will not enter into a Business Associate Agreement – which would also be necessary to make Signal HIPAA compliant. However, this does not mean Signal cannot be used in healthcare environments. It means Signal cannot be used to create, collect, maintain, or transmit electronic PHI – except when requested by an individual exercising their HIPAA rights.
The Confidential Communications Exception
Under §164.522(b) of the Privacy Rule, individuals have the right to request communications are sent and received via “an alternative means”. Covered healthcare providers and health plans are required to accommodate all reasonable requests by §164.502(h); and, as Signal is a free-to-use VoIP communications channel, it would be unreasonable to decline the individual’s request.
There are several reasons why an individual may make such a request. It may be that they are security conscious and do not want their health information transmitted across unsecure channels of communication such as unencrypted email or SMS, or it may be the case that features such as “disappearing messages” enable them to keep details of their health private in hostile environments.
If a covered healthcare provider or health plan declines an individual’s reasonable request to use Signal, the individual has the right to complain to HHS’ Office for Civil Rights. Therefore, it is a best practice to advise the individual that Signal is not HIPAA compliant, document the advice, and – if the individual still wants to use Signal to send and receive ePHI – document the individual’s decision.
Is Signal HIPAA Compliant? Conclusion
Because of its lack of other capabilities, the encryption model alone is not sufficient to make Signal HIPAA compliant. Therefore, the platform should not be used to create, collect, maintain, or transmit ePHI. The exception to this rule is when individuals exercise their HIPAA rights and request communications are sent and received via Signal despite being warned of the security risks.
To avoid violations of HIPAA and complaints to HHS’ Office for Civil Rights, members of covered entities should be trained on this exception and the procedures for complying with patient requests. If your organization encounters challenges with HIPAA training or developing HIPAA-compliant policies and procedures, it is recommended you seek professional compliance advice.