Is Facebook Messenger HIPAA Compliant?
Facebook Messenger is not HIPAA compliant and cannot be used to collect or disclose Protected Health Information (PHI) unless a patient who is the subject of the PHI has requested to communicate via the messaging app. Even in these circumstances, precautions must be taken to prevent impermissible disclosures of PHI.
Facebook Messenger is a popular messaging app through which individuals and groups can chat, call, and video each other. In the healthcare industry, the Facebook Messenger for Business service can be used to raise public awareness about health issues, tackle misinformation, promote citizen engagement, and communicate emergency situations or critical incidents.
However, personal messaging between healthcare providers and individual patients is not permitted by HIPAA when messages include PHI. This is because Facebook Messenger does not meet the requirements to be a business associate, and has “persistent access” to PHI (even when messages are encrypted), so is not exempted from HIPAA compliance under the Conduit Exception Rule.
Is it Possible to Make Facebook Messenger HIPAA compliant?
It is not possible to make Facebook Messenger HIPAA compliant because the app lacks some necessary capabilities to comply with the Administrative and Technical Safeguards of the Security Rule – for example, audit logs, access reports, and emergency access procedures. Because of the lack of these capabilities, Facebook is unable to provide satisfactory assurances that PHI will be safeguarded and cannot enter into a Business Associate Agreement with a healthcare provider.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition, while Facebook has made some progress towards the Messenger app being more compliant by introducing end-to-end encryption and automatic logoff, these are not measures built into the app by default and have to be activated by users. With regards to having the data management capabilities necessary to make Facebook Messenger HIPAA compliant, the app lacks the administrative controls required to ensure the confidentiality, integrity, and availability of PHI.
Patients’ Requests to Communicate via Facebook Messenger
Although it is not possible to make Facebook Messenger HIPAA compliant for general use, if a patient exercises their right to request communications with their healthcare provider via a specific communication channel under §164.522(b) of the Privacy Rule (in this case, Facebook Messenger), healthcare providers are required to accommodate the request if it is reasonable.
As HHS’ Office for Civil Rights exercised enforcement discretion on the use of Facebook Messenger during the COVID-19 pandemic while continuing to prohibit other channels of communication, and as Facebook Messenger is free to download and use, it is hard to consider a scenario in which a request to communicate via Facebook Messenger would be considered unreasonable.
However, in such circumstances, it is important to alert the patient of the risks of using a non-compliant channel of communication and document the warning. If the patient wishes to continue communicating via Facebook Messenger, it may be necessary to verify the patient’s identity before disclosing PHI and obtain their consent to continue with a conversation if there is a risk the conversation can be overheard by members of the patient’s household or workplace colleagues.
Healthcare providers unsure about the rules relating to communicating with patients via non-compliant channels of communication such as social media platforms, or who require assistance training members of the workforce on how to use social media platforms in compliance with HIPAA, should seek professional compliance advice.
