Is Facebook Messenger HIPAA Compliant?
Facebook Messenger is not HIPAA compliant and cannot be used to collect or disclose Protected Health Information (PHI) unless a patient who is the subject of the PHI has requested to communicate via the messaging app. Even in these circumstances, precautions must be taken to prevent impermissible disclosures of PHI.
Facebook Messenger is a popular messaging app through which individuals and groups can chat, call, and video each other. In the healthcare industry, the Facebook Messenger for Business service can be used to raise public awareness about health issues, tackle misinformation, promote citizen engagement, and communicate emergency situations or critical incidents.
However, personal messaging between healthcare providers and individual patients is not permitted by HIPAA when messages include PHI. This is because Facebook Messenger does not meet the requirements to be a business associate, and has “persistent access” to PHI (even when messages are encrypted), so is not exempted from HIPAA compliance under the Conduit Exception Rule.
Is it Possible to Make Facebook Messenger HIPAA compliant?
It is not possible to make Facebook Messenger HIPAA compliant because the app lacks some necessary capabilities to comply with the Administrative and Technical Safeguards of the Security Rule – for example, audit logs, access reports, and emergency access procedures. Because of the lack of these capabilities, Facebook is unable to provide satisfactory assurances that PHI will be safeguarded and cannot enter into a Business Associate Agreement with a healthcare provider.
HIPAA Compliant
Patient Communication
Software
Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition, while Facebook has made some progress towards the Messenger app being more compliant by introducing end-to-end encryption and automatic logoff, these are not measures built into the app by default and have to be activated by users. With regards to having the data management capabilities necessary to make Facebook Messenger HIPAA compliant, the app lacks the administrative controls required to ensure the confidentiality, integrity, and availability of PHI.
Patients’ Requests to Communicate via Facebook Messenger
Although it is not possible to make Facebook Messenger HIPAA compliant for general use, if a patient exercises their right to request communications with their healthcare provider via a specific communication channel under §164.522(b) of the Privacy Rule (in this case, Facebook Messenger), healthcare providers are required to accommodate the request if it is reasonable.
As HHS’ Office for Civil Rights exercised enforcement discretion on the use of Facebook Messenger during the COVID-19 pandemic while continuing to prohibit other channels of communication, and as Facebook Messenger is free to download and use, it is hard to consider a scenario in which a request to communicate via Facebook Messenger would be considered unreasonable.
However, in such circumstances, it is important to alert the patient of the risks of using a non-compliant channel of communication and document the warning. If the patient wishes to continue communicating via Facebook Messenger, it may be necessary to verify the patient’s identity before disclosing PHI and obtain their consent to continue with a conversation if there is a risk the conversation can be overheard by members of the patient’s household or workplace colleagues.
Healthcare providers unsure about the rules relating to communicating with patients via non-compliant channels of communication should seek professional compliance advice.