Facebook Messenger is not HIPAA compliant and cannot be used by HIPAA Covered Entities or Business Associates to collect, transmit, or disclose Protected Health Information, except when a patient who is the subject of the Protected Health Information requests communication through Facebook Messenger and the provider implements precautions to avoid an impermissible disclosure. Facebook Messenger can support public-facing communications that do not involve Protected Health Information, including general outreach and awareness messaging, but that use case differs from provider-patient messaging that includes Protected Health Information.
Provider-patient messaging that includes Protected Health Information is not permitted through Facebook Messenger as a standard communication channel because Facebook Messenger does not meet the requirements to be a business associate and maintains persistent access to message content, including when messages are encrypted. Facebook Messenger also does not qualify for an exemption under the Conduit Exception Rule, because persistent access means the service does more than transmit information in the manner of a mere conduit.
Facebook Messenger cannot be made HIPAA compliant because the application lacks capabilities needed to support the HIPAA Security Rule administrative and technical safeguards. The limitations described include the absence of audit logs, access reports, and emergency access procedures that support access control, accountability, and availability requirements. Without these capabilities, Facebook cannot provide satisfactory assurances that Protected Health Information will be safeguarded and cannot enter into a Business Associate Agreement with a healthcare provider.
Facebook has introduced features such as end-to-end encryption and automatic logoff, but those measures are not enabled by default and require user activation. These features do not address the broader administrative controls and data management capabilities required to support confidentiality, integrity, and availability controls when Protected Health Information is exchanged.
A patient can request communications with a healthcare provider through a specific channel under 45 CFR 164.522(b) of the HIPAA Privacy Rule, including Facebook Messenger, and the provider is required to accommodate a reasonable request. When a provider communicates with a patient through Facebook Messenger in response to such a request, the provider needs to warn the patient about the risks of using a noncompliant communication channel and document the warning. Additional precautions can include verifying the patient’s identity before disclosing Protected Health Information and obtaining consent to continue the conversation when there is a risk the conversation can be overheard by members of the patient’s household or by workplace colleagues.