Is Facebook Messenger HIPAA Compliant?

People including doctors and nurses use chat platforms for communication. The question is whether these platforms are acceptable for sending PHI? A popular chat platform is Facebook Messenger. Is Facebook Messenger HIPAA compliant?

Services used for sending PHI must have security controls to make sure that information is not intercepted in transit. This requires encryption, which many platforms such as Facebook Messenger do have. Hence, this requirement of HIPAA is satisfied. But for Facebook Messenger users, encryption is optional and must be activated. If encryption is activated, only the sender and receiver can view the messages.

Another requirement of HIPAA compliance is access and authentication controls. This means that only authorized persons should have access to the chat platform. With Facebook Messenger, users can view messages on the app without logging in each time. So, there’s a possibility that unauthorized persons can access it when a phone is stolen. There must be additional security controls on FB messenger apps in case of loss or theft.

HIPAA covered entities should also have the ability to audit or examine activities involving PHI. With Facebook Messenger, it is difficult to maintain an audit trail. Users who delete messages are beyond the control of covered entities.

When HIPAA-covered entities use services to send PHI, a business associate agreement (BAA) is necessary. However, certain services are exempted from this requirement because of the HIPAA Conduit Exception rule. For example, internet service providers and the U.S. Postal Service are exempted because they only serve as conduits of information. However, cloud service providers are not exempted. The same is true for Facebook messenger. Before HIPAA-covered entities can use this chat service for communicating PHI, there must be a BAA. Unfortunately, Facebook is not yet ready to sign a BAA.

Facebook has a messaging service called Workplace by Facebook which businesses can use for internal communication. This service is not HIPAA compliant as stated in its Workplace Entreprise Agreement: “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

To summarize the discussion, Facebook Messenger is not HIPAA compliant. There’s no BAA, audit and access control when using this service. A chat program that is HIPAA compliant is TigerText. It was specifically developed for the healthcare industry making sure that PHI is sent securely with access, audit control and end-to-end encryption.