The HIPAA Guide - Celebrating Over 15 Years Online

Is WhatsApp HIPAA Compliant?

October 24, 2024HIPAA Advice Articles0

Is WhatsApp HIPAA Compliant? HIPAAGuide.net

WhatsApp is not HIPAA compliant and should not be used to send or receive Protected Health Information (PHI) unless a patient requests confidential communications via WhatsApp or initiates a conversation via WhatsApp. In both circumstances, users must be trained to remove PHI from devices to protect the confidentiality, integrity, and availability of PHI.

WhatsApp is the most popular messaging service in the world. Because of its widespread use, WhatsApp is an effective communications tool that can be used in the healthcare industry to manage workforce schedules, share scientific research, and collaborate on clinical situations โ€“ provided communications between users do not impermissibly disclose PHI.

The reason for โ€œimpermissiblyโ€ being italicized is that, although it is not possible to make WhatsApp HIPAA compliant, there are circumstances in which healthcare providers can send or receive PHI without violating HIPAA. These circumstances occur often enough that workforce members should receive HIPAA training on how to manage them, and how to remove PHI from devices once โ€œpermissibleโ€ communications have been sent or received.

Why Isnโ€™t WhatsApp HIPAA Compliant?

WhatsApp is not HIPAA compliant for multiple reasons. For example, the free version of the platform does not allow healthcare providers to monitor logins, maintain audit trails, or terminate access to PHI as required by the HIPAA Security Rule. In addition, although the content of messages is encrypted, the metadata is not. WhatsApp can use and share the metadata with any third party under the Terms of Service.

Get the FREE
HIPAA Compliance
Email Checklist

Learn How To Prevent All Email Related HIPAA Violations

Immediate Access

Privacy Policy

While some capabilities required to make WhatsApp HIPAA compliant exist on the WhatsApp Business Platform, the Business Terms of Service state โ€œWe make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.โ€ For this reason, WhatsApp will not enter into a Business Associate Agreement with HIPAA regulated entities.

It is also important to be aware that, although messages are deleted from WhatsAppโ€™s servers once they have been delivered, WhatsApp is not exempt from HIPAA compliance under the Conduit Exception Rule. This is because, if it is not possible to deliver a message (for example, if the recipient is offline), the message remains on WhatsAppโ€™s servers for up to thirty days – during which time WhatsApp has โ€œtransient accessโ€ to the message and any PHI included in it.

Sending and Receiving PHI via WhatsApp

The circumstances in which it is permissible to send or receive PHI via WhatsApp are mostly limited to when a patient exercises their right to request confidential communications via WhatsApp, when a patient initiates a conversation via WhatsApp, or when a patient sends health data to a healthcare provider via WhatsApp. There is also an unlikely scenario in which a patient, in theory, could authorize that PHI is sent via an unsecure channel of communication.

With regards to requesting confidential communications that contain PHI via WhatsApp, the HIPAA Privacy Rule (ยง164.522(b)) requires healthcare providers to โ€œaccommodate reasonable requestsโ€. Due to the widespread use of WhatsApp, it would be considered unreasonable for a request to receive communications to be denied. However, HIPAA covered entities are advised to document the request and ensure the patient understands WhatsApp is not HIPAA compliant.

With regards to a patient initiating conversations via WhatsApp or sending health data to a healthcare provider, the disclosure of PHI is not a HIPAA violation because the disclosure was not made by a covered entity. In such circumstances, it is permissible to reply to the patient via WhatsApp according to guidance published by HHS. However, the patient should be alerted to the risks of sending PHI via WhatsApp and offered a HIPAA compliant alternative channel of communication.

In all permissible circumstances, workforce members must be trained on how to manage and document requests for confidential communications and communications initiated by a patient. They must also be trained on how to remove PHI from devices once it has been sent or received via WhatsApp, and โ€“ when necessary – transferred to a secure location. Note: Apps used to transfer PHI from WhatsApp to a secure location must be HIPAA compliant.

Conclusion: Use WhatsApp with Caution

There are many benefits of using WhatsApp in healthcare, but also many risks. WhatsApp can help enhance workforce communication, intelligence, and collaboration, but it can also expose PHI to unauthorized access. In addition, WhatsApp does not integrate with other healthcare solutions, so any โ€œpermissibleโ€ uses of the platform require manual interactions โ€“ which can further increase the risk of unauthorized access due to human factors.

Healthcare organizations are advised to develop WhatsApp policies for all members of the workforce and train those likely to encounter patient requested or patient initiated communications on the procedures for managing and documenting the communications, and โ€“ when necessary โ€“ transferring PHI to a secure location. Healthcare organizations that need assistance developing policies and procedures should speak with an independent HIPAA compliance professional.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2025 The HIPAA Guide. All rights reserved.