Is WhatsApp HIPAA Compliant?

by

WhatsApp is not HIPAA compliant and should not be used by a HIPAA Covered Entity or Business Associate to receive, store, or send Protected Health Information, except when a patient initiates contact through WhatsApp or requests confidential communications through that specific channel and the provider documents the request and applies reasonable safeguards.

Electronic communications that contain electronic Protected Health Information are subject to the HIPAA Security Rule standards for confidentiality, integrity, and availability. WhatsApp does not provide functionality needed to support multiple HIPAA Security Rule requirements for organizational control of access and activity. Examples described include the absence of mechanisms to terminate an individual’s access to Protected Health Information stored on a device, a lack of login monitoring, and no support for emergency access to Protected Health Information if the account owner is unavailable. The platform also lacks integrity controls to corroborate that Protected Health Information has not been altered or destroyed in an unauthorized manner, and it does not provide audit trails or event logs. Automatic logoff cannot be enforced through WhatsApp controls and depends on device level settings such as a PIN lock.

Use of a service to communicate Protected Health Information electronically also requires a Business Associate Agreement with the service provider when the provider creates, receives, maintains, or transmits Protected Health Information on behalf of a regulated entity. WhatsApp does not enter into a Business Associate Agreement and disclaims representations that its services meet the needs of entities regulated by heightened confidentiality requirements.

Accredited HIPAA Certification

A patient request can create a narrow pathway for communications through WhatsApp. When a patient requests confidential communications through WhatsApp, the request and any initial contact should be documented and safeguards should be implemented to protect privacy. If a patient continues to request WhatsApp after being warned that the platform does not support HIPAA compliance, the warning and the request should be documented.

Encryption alone does not make WhatsApp HIPAA compliant. Patients may choose to send health information through WhatsApp because patients are not subject to the HIPAA Privacy Rule and the HIPAA Security Rule. When Protected Health Information is received through WhatsApp, it should be placed in the patient’s medical record or a designated record set where HIPAA protections apply.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]