Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant?

Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI).

However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform.

Why Isn’t WhatsApp HIPAA Compliant?

First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users.

HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is implemented in its place, encryption is not required. Since WhatsApp now includes end-to-end encryption, this aspect of HIPAA is satisfied.

HIPAA also requires access controls to be implemented – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone, anyone with access to that smartphone will be able to view the messages in the user’s WhatsApp account, without the need to enter in any usernames and passwords. That means any ePHI included in saved conversations would be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.

HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area where WhatsApp is not HIPAA compliant. Messages and attachments are saved to the device, although they can easily be deleted. WhatsApp does not retain a record of messages that have been delivered. That would mean that all data in the account would need to be backed up and retained. Currently, if you switch phones, your account will be preserved, but your messages will not.

Then there is the issue of what happens to ePHI in a WhatsApp account on a personal device after the user leaves the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently erased. That would be a logistical nightmare for any covered entity, as it could not be performed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being deleted.

There is some debate about whether a business associate agreement would need to be signed with WhatsApp. Since all data transmitted through WhatsApp is sent through an encrypted tunnel, WhatsApp could be considered to be a mere conduit for information. As such, a business associate agreement would not be required. Some companies that provide messaging services have access to the key to decrypt data sent in encrypted messages, and will comply with law enforcement requests and divulge information if they receive a subpoena, court order, or search warrant.

While WhatsApp will comply with such requests, the terms and conditions state that access to the content of messages will not be provided to law enforcement, only basic account details. WhatsApp says the information that would be disclosed, “May include “about” information, profile photos, group information, and address book, if available. WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages, and undelivered messages are deleted from our servers after 30 days.” However, what is unclear is whether WhatsApp holds a key to unlock the encryption, and whether messages could be accessed. Were that to be the case, a business associate agreement would likely be required.

So, is WhatsApp HIPAA compliant? In its current form no. When it comes to WhatsApp and HIPAA compliance, the service cannot be used to send ePHI without risking violating HIPAA Rules. For general communication, or for sending de-identified PHI, WhatsApp could be used by healthcare professionals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.