25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is Signal HIPAA Compliant?

Posted By on Dec 5, 2023

Signal is not a HIPAA compliant messaging solution and cannot be used to collect, store, or transmit electronic PHI because user accounts are set up “per user” – making it impossible to apply most administrative and activity monitoring safeguards required by the Security Rule. For this reason, Signal will not enter into a Business Associate Agreement with HIPAA covered entities.

HIPAA Compliance and Instant Messaging Platforms

Instant messaging platforms are convenient and make it easy to communicate with patients; however, if the platforms are used to transmit electronic protected health information (ePHI), they must be HIPAA compliant unless a patient exercises their Privacy Rule right to receive healthcare communications via a non-compliant channel. That means appropriate technical, administrative, and physical safeguards must be implemented to ensure the confidentiality, integrity, and availability of any transmitted or stored ePHI.

Signal, like several other instant messaging apps, has a strong focus on privacy and offers end-to-end encryption of messages. Signal also encrypts phone calls and video calls to prevent interception and eavesdropping. While this may seem like adequate protection for any ePHI that is disclosed via the app, part of the reason why Signal is so popular is that users can communicate with non-Signal users and can send them messages and make calls.

However, Signal only offers 100% encryption for communications if all parties are using the Signal app. Verification of users during the setup process is conducted through a system that is not encrypted, and while files can be sent in messages, they may not be protected to a standard required by HIPAA. Further, at the time of publication, Signal only offers its services “per-user” and each user must register with a separate phone number.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There is no option for business users to share a platform and no controls to manage user IDs, track user activity, or remove users from the platform when they leave as required by §164.308(a)(3)(ii)(C) of the Security Rule. Other capabilities lacking from the Signal platform include automatic logoff, centralized backup (all messages are stored on the user’s device), and remote data deletion in the event of a device being lost or stolen.

Is Signal HIPAA Compliant?

Providers of instant messaging platforms are classed as a HIPAA business associates – even if they cannot access the content of encrypted conversations – which means they must enter into a business associate agreement with HIPAA-covered entities. Because the Signal platform does not have the capabilities to support HIPAA compliance , Signal will not enter into a business associate agreement. As a result, Signal is not a HIPAA-compliant messaging platform.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more