When WhatsApp announced it was launching end-to-end encryption, healthcare organizations questioned whether this made WhatsApp HIPAA compliant and if the messaging platform could be used to send and receive communications containing Protected Health Information.
HIPAA doesn’t actually require the use of encryption as long as there is another, comparable measure applied in its place; and although the content of WhatsApp messages is better protected against impermissible uses and disclosures than the content of SMS messages and emails, there are several reasons why WhatsApp is not HIPAA compliant.
Most of these reasons can be found in the Technical Safeguards of the HIPAA Security Rule. For example, WhatsApp does not support unique user authentication and automatic logoff. Although these safeguards could be managed by the device controls for the device WhatsApp is installed on, they would have to be managed by the Covered Entity responsible for HIPAA compliance rather than the device user – which rules out the device for personal use.
Even if this solution was practical, WhatsApp lacks further safeguards mandated by the Security Rule such as audit and integrity controls. These enable Covered Entities to identify when PHI has been impermissibly disclosed (i.e., sent to an unauthorized individual) or impermissibly altered (which could have implications for future diagnoses, treatments, and payments). There is also no way to remotely delete messages containing PHI from an individual’s WhatsApp account.
Other Reasons why WhatsApp is Not HIPAA Compliant
WhatsApp itself acknowledges it is not HIPAA compliant. It its terms of service, WhatsApp states: “We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities”.
The terms also include a clause implying that Covered Entities should obtain patient consent before saving contact details and other personal data on WhatsApp or before communicating with patients via the WhatsApp service. This is not dissimilar to guidance from HHS’ Office for Civil Rights which suggests it is a best practice to obtain patient consent before communicating PHI via other unsecure channels of communication (i.e., SMS, email, etc.).
Because WhatsApp itself acknowledges the platform is not HIPAA compliant, it will not enter into a Business Associate Agreement. As Business Associate Agreements are a requirement of HIPAA when PHI is shared with a Business Associate (even one that cannot access PHI because it is encrypted), this is a further reason why WhatsApp is not HIPAA compliant. Therefore, although WhatsApp can be used to send and receive messages in the healthcare industry, it cannot be used to send or receive messages containing PHI because it is not HIPAA compliant.