This article answers the question is WhatsApp HIPAA compliant by discussing what the messaging platform can be used for, what it should not be used for, and when an exception can exist.
WhatsApp is used in a variety of healthcare settings for a variety of purposes. In a 2019 survey, the most common uses of WhatsApp for healthcare professionals included sharing scientific information with colleagues, managing agendas with colleagues, and communicating with colleagues about clinical situations without mentioning patient-specific information.
The same survey identified a number of WhatsApp interactions between healthcare professionals and patients which were most often initiated by patients. Common interactions included patients sending images and videos prior to a consultation, asking healthcare-related questions, and providing updates on clinical conditions or the effects of medications.
Because these uses of WhatsApp do not involve disclosures of Protected Health Information (PHI) by Covered Entities or Business Associates, they do not violate HIPAA. Indeed, these uses of WhatsApp are likely to accelerate workflows and improve patient outcomes because WhatsApp messages are generally read and responded to much quicker than emails.
However, some WhatsApp interactions with patients in which PHI was disclosed were initiated by healthcare professionals. These interactions may not necessarily be violations of HIPAA if patients requested them, but it is important for healthcare professionals to understand why most articles discussing is WhatsApp is HIPAA compliant conclude that it is not compliant with the HIPAA Rules.
What HIPAA Says about Communicating PHI Electronically
Electronic communications conducted by a HIPAA Covered Entity or Business Associate are subject to the standards of the HIPAA Security Rule. The standards are designed to ensure the confidentiality, integrity, and availability of electronic PHI at all times and primarily consist of three sets of safeguards – Administrative, Physical, and Technical Safeguards.
Throughout the safeguards, there are multiple standards that Covered Entities and Business Associates cannot comply with because WhatsApp lacks the necessary capabilities. For example, there are no capabilities to terminate an individual’s access to PHI stored on their device, monitor logins, or support emergency access to PHI if the account owner is unavailable.
Similarly, there are no controls in WhatsApp to corroborate PHI has not been altered, improperly modified, or destroyed in an unauthorized manner. There are no audit trails or event logs, and the only way to enforce the automatic logoff standard is to ensure the device being used for WhatsApp communications is PIN lock enabled. Therefore, WhatsApp should not be used to communicate PHI.
Additionally, whenever any service is used to communicate PHI electronically, it is necessary to have a Business Associate Agreement in place with the service provider. WhatsApp will not enter into an Agreement, and notes in its Business Terms “We make no representations or warranties that our services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”
What if WhatsApp Communications are Requested by a Patient?
There is nothing Covered Entities and Business Associates can do to make WhatsApp HIPAA compliant. However, there is an exception to the guideline that WhatsApp should not be used to communicate PHI. This is when a patient exercises their right to request confidential communications via a specific channel or platform (Privacy Rule §164.522(b)).
The Department of Health and Human Services (HHS) has published guidance on how Covered Entities should respond when a patient requests confidential communications via a non-compliant communication channel (in this case, unencrypted email). The guidance states Covered Entities can comply with the request provided reasonable safeguards are taken to ensure the privacy of PHI.
Some Covered Entities may have issues with the guidance inasmuch as HHS suggests if a patient initiates communications with a healthcare professional via a non-compliant channel of communication, the healthcare professional can assume the patient agrees to receive communications via this channel of communication – including those containing PHI.
If concerns exist about communicating with a patient via WhatsApp, healthcare providers are advised to explain to the patient that WhatsApp does not support HIPAA compliance and suggest an alternative, compliant channel is used instead. If the patient specifically requests communications via WhatsApp – despite being alerted to the risks – healthcare professionals should document the warning to the patient and the patient’s request for communications via WhatsApp.
Is WhatsApp HIPAA Compliant? Conclusion
There are many ways in which WhatsApp can be used in healthcare settings to accelerate workflows and improve patient outcomes. However, the platform should not be used to communicate PHI because it lacks the capabilities to support compliance with the HIPAA Security Rule. The exception to this guideline is when a patient exercises their Privacy Rule right to request confidential communications via a specific channel or platform.
In such cases, HHS guidance states healthcare professionals should accommodate the patient’s request when it is reasonable and when safeguards are taken to ensure the privacy of PHI. The use of WhatsApp in these circumstances should be documented – along with the patient’s request and any warning provided to the patient – to mitigate the risk of a civil penalty if the HHS’ Office for Civil Rights subsequently conducts a compliance audit.
Covered Entities or Business Associates concerned about the compliant use of WhatsApp in their organizations should seek professional compliance advice.
Is WhatsApp HIPAA Compliant? FAQs
Can WhatsApp be used by healthcare providers?
WhatsApp can be used by healthcare providers – but generally not to create, store, or share PHI. There can be exceptions to this rule if, for example, a patient specifically requests to be contacted by WhatsApp. In such circumstances, the patient should be told WhatsApp is not HIPAA compliant and asked to put their request in writing. The warning and the request should both be documented.
Why would it be necessary to sign a BAA with WhatsApp?
It would be necessary to sign a BAA with WhatsApp (if the platform was HIPAA-compliant) because WhatsApp would be providing a service for a Covered Entity through which it would have “persistent access” to PHI. HHS has published guidance that covers scenarios similar to WhatsApp when service providers cannot access PHI (because it is encrypted) but still qualify as Business Associates.
As all messages are encrypted, why is WhatsApp not HIPAA compliant?
Even though all messages are encrypted, WhatsApp is not HIPAA compliant because it lacks other capabilities Covered Entities and Business Associates need to comply with the HIPAA Security Rule. It is important to note encryption alone does not make any software HIPAA compliant. The capabilities of the software, how they are configured, and how they are used determines compliance.
Why is it acceptable for patients to send PHI via WhatsApp?
It is acceptable for patients to send PHI via WhatsApp because patients are not Covered Entities and therefore not subject to the HIPAA Privacy and Security Rules. However, once received by a healthcare professional, PHI should be added to the patient’s medical record or placed in a designated record set – where the protections of the HIPAA Privacy and Security Rules will apply.
What happens if a patient loses their mobile phone and PHI is in their WhatsApp messages?
If a patient loses their mobile phone and PHI is in their WhatsApp messages, the consequences will depend on how PHI came to be in the WhatsApp messages. If the patient has initiated a WhatsApp conversation, or requested PHI is communicated via WhatsApp, nothing will happen because the healthcare professional will not be considered liable for the patient losing their mobile phone.
If PHI is in the WhatsApp messages because of a conversation initiated by a Covered Entity without consent, an unsolicited contact by a Covered Entity, or a mistake by a Covered Entity (i.e., when sending a message about an appointment), this may be considered a wrongful disclosure of PHI via a non-compliant channel of communication and likely prompt an OCR investigation.
The post Is WhatsApp HIPAA Compliant? appeared first on HIPAA Journal.