Is WhatsApp HIPAA compliant?

WhatsApp is a popular messaging app that combines text, voice, and video communications in one platform. Users love its convenient interface and features like group chats and media sharing. But is it HIPAA compliant? While WhatsApp uses end-to-end encryption and is a staple in everyday personal communications, it is not HIPAA compliant. 

All healthcare messaging apps that process electronic personal health information (ePHI) must comply with HIPAA. Unfortunately, WhatsApp doesn’t meet the stringent security measures required by HIPAA, so healthcare providers, other covered entities, and business associates need to use a different platform to avoid compromising the security of PHI and risking costly HIPAA penalties for non-compliance. 

In this guide, we’ll explain why WhatsApp isn’t HIPAA compliant and offer tips to help your practice find compliant patient messaging tools. 

• What is WhatsApp?
• The exception: When can WhatsApp be used to communicate PHI?
• Why WhatsApp isn’t HIPAA compliant
• What to look for in a compliant patient messaging app
• Message delivered: Be HIPAA compliant at every turn
• Frequently asked questions

Wh‎at is WhatsApp?

‎WhatsApp, owned by Facebook, is a widely used messaging app that's projected to reach 3 billion monthly active users in June 2024, making it one of the most popular globally. However, despite its popularity, WhatsApp does not currently define itself as an app that enables HIPAA compliance.

While the app does have end-to-end encryption, it is not recommended for communicating protected health information. This means that healthcare professionals should avoid using WhatsApp to transmit sensitive patient data, as it does not meet the necessary security standards required by HIPAA.

Despite its limitations in terms of HIPAA compliance, WhatsApp can still be a valuable tool in healthcare settings for non-PHI related communication and collaboration among healthcare professionals and patients.

According to HIPAA Journal, "In a 2019 survey, the most common uses of WhatsApp for healthcare professionals included sharing scientific information with colleagues, managing agendas with colleagues, and communicating with colleagues about clinical situations without mentioning patient-specific information."

Th‎e exception: When can WhatsApp be used to communicate PHI?

‎If a patient exercises their right under Privacy Rule §164.522(b) to request confidential communications via a specific channel or platform, WhatsApp can be used to communicate PHI under these very limited circumstances.

The Department of Health and Human Services (HHS) has provided guidance on how healthcare providers should respond when a patient requests confidential communications via a non-compliant communication channel. Healthcare providers can comply with the request as long as reasonable safeguards are implemented to ensure the privacy of PHI.

However, some healthcare providers may have concerns about using WhatsApp for communication, as it does not support HIPAA compliance. In such cases, healthcare providers are advised to explain to the patient the risks associated with using WhatsApp and suggest an alternative, compliant channel.

If the patient still insists on using WhatsApp, healthcare providers should document the warning given to the patient and the patient's request for communications via WhatsApp.

Wh‎y WhatsApp isn’t HIPAA compliant

Although WhatsApp has implemented various security measures since being acquired by Facebook, it does not explicitly state that it enables HIPAA compliance. Therefore, healthcare organizations should seek alternative secure messaging platforms that are specifically designed to meet HIPAA requirements when communicating ePHI.

Here's a closer look at the concerns that make WhatsApp unsuitable for healthcare delivery and communications.

No Business Associate Agreement (BAA)

HIPAA requires covered entities to sign a BAA with third-party providers handling PHI. WhatsApp doesn’t sign BAAs, which immediately classifies this service as non-compliant. 

Inadequate access controls

HIPAA requires strict controls over who can access patient health information. WhatsApp simply doesn’t have the right features to allow healthcare providers to control or restrict access to PHI on its platform. Once a sender fires off a message, they have no control over who sees it or distributes it on the receiving end. 

Insufficient audit trails

HIPAA requires healthcare providers to maintain detailed logs of who accessed ePHI and when. These logs are audited yearly, but providers may need to retain them for several years after the fact.

WhatsApp doesn’t support these detailed logs; instead, messages are stored locally on a user’s device. At best, WhatsApp stores messages for 30 days, which still isn’t long enough to satisfy audit requirements. This makes it impossible for healthcare providers to track access to ePHI and comply with HIPAA’s accountability requirements.

Encryption oversights

Facebook added end-to-end encryption when it purchased WhatsApp. However, this encryption still isn’t up to HIPAA standards.

It’s not clear whether WhatsApp protects data while in transit. Data that is not encrypted in transit violates HIPAA. If there are any question about a vendor’s ability to encrypt data at all times, it is non-compliant.

Lack of remote deletion capability

WhatsApp does not support remote deletion of messages containing ePHI. This means that once a message containing PHI is sent via WhatsApp, it cannot be remotely deleted from the sender's or recipient's account. According to HIPAA regulations, covered entities are required to have mechanisms in place to ensure the secure transmission and storage of ePHI.

This includes the ability to remotely delete messages containing such information in the event that an employee leaves the organization. Because WhatsApp does not provide this functionality, it's difficult for healthcare organizations to fully comply with HIPAA requirements when using the platform for communication.

No data backup

WhatsApp messages and attachments are not backed up, which can pose data loss risks. Unlike some other messaging platforms, WhatsApp does not store the information on their servers once a message is received. This means that if a user's device is lost, stolen, or damaged, the messages and attachments stored on that device may be permanently lost.

Additionally, undelivered messages on WhatsApp are only stored for a limited period of time. According to WhatsApp's policy, undelivered messages are stored for 30 days and then deleted. This means that if a message fails to be delivered within that time frame, it will be permanently lost.

HIPAA requires that ePHI be securely stored and protected from loss or unauthorized access, so the lack of backup and limited storage of undelivered messages on WhatsApp can be problematic for organizations that need to comply with HIPAA regulations.

Wh‎at to look for in a compliant patient messaging app

‎WhatsApp uses common-sense security measures like encryption, but these features alone don’t ensure compliance. Look for these features to find a compliant patient communications app.

BAAs

At a minimum, your messaging app should be willing to sign a business associate agreement. It’s non-negotiable for HIPAA compliance because it legally binds the provider to adhere to HIPAA regulations and protect PHI. It can also safeguard your business in the event of a breach on the vendor side, so this requirement is also a risk management best practice. 

End-to-end data encryption

HIPAA requires communication platforms to encrypt PHI at all times, whether at rest or in transit. Look for apps that provide strong encryption when storing data on servers or devices, safeguarding against unauthorized access. 

Proper access controls

All of your users shouldn’t have the same permissions. A patient communication app should come with robust access controls that allow you to manage who can access, use and share patient information.

Look for features like multi-factor authentication (MFA), role-based access, and administrative backups. The app should verify the identity of each user every time they log in, ideally through secure login procedures like MFA or tokens.

Data security

The app should automatically log users off after periods of inactivity to prevent unauthorized access. Ensure the app includes features to prevent PHI alteration or destruction, too. This could include backup systems and safeguards against unauthorized changes.

Audit trails

HIPAA-compliant vendors are required to keep robust audit logs of all user activities, including accessing, sharing, and modifying PHI. This will protect you in the event of an audit and help you mitigate damage during a breach by quickly identifying which accounts accessed sensitive data. 

Me‎ssage delivered: Be HIPAA compliant at every turn

‎While WhatsApp is a user-friendly messaging platform, it simply doesn’t meet HIPAA’s stringent requirements. Using WhatsApp for healthcare communication puts your practice at significant risk of falling out of HIPAA compliance, potentially leading to severe consequences. It's crucial to choose healthcare-specific platforms designed to protect patient data. 

As important as vendor compliance is, it’s just one piece of the puzzle. Healthcare data is increasingly under attack, and it’s never been more important for practices to safeguard their patients’ information. But with so many locations, endpoints, and users, security gets complicated—fast. 

That’s where the Reveal Platform by Next comes in. Our robust data protection platform supports HIPAA compliance by automating the enforcement of an organization's data handling policy. Deploying smart agents that deliver machine learning at the endpoint, Reveal identifies and categorizes data at the point of risk.

Reveal also helps cultivate a security-conscious culture by training employees on secure data handling policies. When a user attempts an unauthorized action, Reveal not only blocks the action but also provides real-time, incident-based training that educates the user about why the prohibited action puts PHI or other sensitive data at risk.

See Reveal in action: Schedule your demo now.

Fr‎equently asked questions

Can healthcare providers use any messaging app if they have patient consent?

No, patient consent does not override HIPAA compliance requirements. Even if a patient agrees to communicate through a non-compliant app, the healthcare provider still has the responsibility to ensure that all communication methods comply with HIPAA standards.

How can healthcare organizations ensure their staff adhere to HIPAA-compliant messaging practices?

Organizations should provide regular training on HIPAA requirements and establish clear policies regarding the use of messaging apps. Monitoring and auditing practices should be in place to ensure compliance, and staff should be encouraged to report any potential breaches.

What happens if a healthcare provider inadvertently uses a non-compliant app for patient communication?

Accidental use of a non-compliant app can lead to serious consequences, including data breaches and potential HIPAA violations. The provider must report any breach as required by HIPAA, evaluate the extent of the breach, and take steps to prevent future occurrences, including switching to a compliant messaging solution.