Is WhatsApp HIPAA Compliant?

When WhatsApp declared it was launching end-to-end encryption,  healthcare organizations became interested in the possibility of using the platform as a free secure messaging app, however the question “Is WhatsApp HIPAA compliant?” needs an answer.

Numerous healthcare personnel have been wondering if WhatsApp is HIPAA compliant, and certain healthcare professionals happen to be using the text messaging app now to transmit protected health information (PHI). While WhatsApp offers more protection compared to SMS messages or other text messaging systems, there are several reasons to believe that WhatsApp is not HIPAA compliant. Why?

First, you should know that no messaging platform or app can be absolutely HIPAA compliant, simply because HIPAA compliance isn’t about the software but about the users. Software could support HIPAA compliance and integrate all the required safety measures to make sure the confidentiality, integrity, and availability of ePHI, however those controls could very easily be jeopardized by users.

HIPAA doesn’t actually require the use of encryption as long as there is another, comparable measure that is applied in its place. Given that WhatsApp now comes with end-to-end encryption, this facet of HIPAA is satisfied.

Second, HIPAA also calls for the availability of access controls, which WhatsApp doesn’t have.  If WhatsApp is used on a smartphone, anybody who can get his hands on the device can see the messages in it without having to enter usernames or passwords. This means if there are any ePHI included in saved messages, it would be accessible as well. Extra security controls could be installed on the smartphone in order to authenticate users prior to accessing the device, however even with those controls, notifications of new messages can typically be seen without having to open WhatsApp or unlocking the smartphone.

Third, HIPAA also calls for audit controls, which WhatsApp does not have again. Messages and attachments received on the device can be easily deleted. No record of the delivered messages is retained within the WhatsApp system. To retain a back up of messages, it must be done manually. Now, if you change phones, you will still have your account, but the messages sent to your phone will not be retained.

Fourth, another issue is what will happen to ePHI in a WhatsApp account on a personal device if the user leaves the organization. There must be controls to make sure all communications that contain ePHI are completely deleted. The covered entity cannot delete any ePHI sent via WhatsApp remotely and users would probably not agree to the deletion of their WhatsApp.

There is some discussion regarding the need for a business associate agreement (BAA) when using WhatsApp. Since transmitting data via WhatsApp uses an encrypted channel, WhatsApp may be regarded as a mere conduit. As such, a BAA is not required. A lot of companies offering messaging services can access the key for decrypting data sent in encrypted messages, and will conform when law enforcement requests the information.

Although WhatsApp will conform to such requests, according to the terms and conditions, access to the content of messages will not be supplied to law enforcement, just the basic account information. Some of the information that WhatsApp could disclose include the about information, address book, profile photos and group information. WhatsApp does not reatin messages after they are delivered. Transaction logs of delivered or undelivered messages are also deleted from the servers after 30 days. It is ambiguous whether WhatsApp keeps a key to unlock encryption, or if messages could be accessed. In case it is possbile, a BAA would most likely be required.

So, WhatsApp in its current form is not HIPAA compliant. The service should not be used to deliver ePHI without the risk of violating HIPAA Rules. WhatsApp may be used by healthcare professionals for general communication, or for delivering de-identified PHI.