HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Signal HIPAA Compliant?

Signal is a popular open source, messaging application that is free to use, which has made it popular with businesses and consumers, but can the platform be used for communication in healthcare? Is Signal HIPAA compliant?

HIPAA Compliance and Instant Messaging Platforms

Instant messaging platforms are convenient and make it easy to communicate with patients; however, if the platforms are used to transmit electronic protected health information, they must be HIPAA compliant. That means appropriate technical, administrative, and physical safeguards must be implemented to ensure the confidentiality, integrity, and availability of any transmitted or stored ePHI. The provider of an instant messaging platform would be classed as a HIPAA business associate, which means they must enter into a business associate agreement with a HIPAA-covered entity.

Signal, like several other instant messaging apps, has a strong focus on privacy and offers end-to-end encryption of messages. Signal will also encrypt phone calls and video calls to prevent interception and eavesdropping. While this may seem like adequate protection for any ePHI that is disclosed via the app, part of the reason why Signal is so popular is that users can communicate with non-Signal users and can send them messages and make calls. Signal only offers 100% encryption for communications if all parties are using the Signal app. Verification of users during the setup process is conducted through a system that is not encrypted, and while files can be sent in messages, they may not be protected to a standard required by HIPAA. Further, at the time of publication, Signal does not enter into business associate agreements with HIPAA-covered entities.

Is Signal HIPAA Compliant?

So, is Signal HIPAA compliant? At the time of publication, Signal does not enter into business associate agreements with users, and that means that the platform is not HIPAA compliant, so should not be used by healthcare organizations for providing telehealth services or for communicating any ePHI with patients or other individuals as Signal is not a HIPAA compliant messaging app.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Signal Can be Used for the Duration of the COVID-19 Public Health Emergency

The COVID-19 pandemic forced healthcare organizations to take steps to reduce the spread of the virus, and the HHS responded to the pandemic by issuing a Notice of Enforcement Discretion to support the provision of telehealth services by healthcare providers.

Under the Notice of Enforcement Discretion, the HHS relaxed enforcement of compliance with certain aspects of the HIPAA Rules with respect to Telehealth services. No changes were made to the HIPAA Privacy and Security Rules, so using an app such as Signal for telehealth services is still a HIPAA violation; however, the HHS’ Office for Civil Rights (OCR) confirmed that it would be exercising enforcement discretion and would not impose sanctions or penalties on HIPAA-covered entities for the good faith provision of telehealth services using platforms that would not normally be considered HIPAA compliant, provided they are not public-facing services. Signal is not a public-facing messaging platform.

Signal was specifically mentioned in the Notice of Enforcement Discretion issued by OCR on March 20, 2020, as one of the platforms that could be used. It is important to bear in mind that the Notice of Enforcement Discretion ONLY applies for the duration of the COVID-19 Public Health Emergency. When the PHE expires, or the Secretary of the HHS declares the PHE is over, the Notice of Enforcement Discretion will immediately end, and the continued use of Signal would be a HIPAA violation. At that point, HIPAA-covered entities would be required to switch to a HIPAA-compliant platform – one for which they had obtained a BAA.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.