Is Facebook Messenger HIPAA compliant?

Facebook may be considered a useful platform for connected people and corresponding. However, could it be used by healthcare organizations as the messaging service for sending protected health information (PHI) without breaching HIPAA legislation?

A range of chat platforms are already employed by medical workers for communication, however is it proper to use these platforms for sharing PHI? Facebook Messenger is one of the most used chat services. However, HIPAA covered entities should never use Facebook Messenger to send PHI without being aware if is HIPAA compliant.

All platforms used to share PHI should have security controls implemented to make sure data are not captured while on the move. The best way to do this is to encrypt messages. Facebook Messenger includes encryption of information in transit as an option and using this option means you are being HIPAA compliant.

However for HIPAA compliance to be in place then the option for encryption must be enabled. This will mean only the sender and receiver will view messages.  A number of other factors need to be present so that HIPAA compliance is in place. They include enabling access and authentication controls must be so that authorized persons can gain access to the program and maintaining an audit trail so that any PHI delivered via a chat messaging platform can be retained.

A Business Associate Agreement would also need to be completed with Facebook prior to using Facebook Messenger for communicating PHI. Currently Facebook is not willing to complete a BAA for Facebook Messenger. However, Facebook does operate a messaging service called Workplace by Facebook that businesses can use to communicate internally which included in its terms and condition that “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

In conclusion Facebook Messenger cannot be deemed HIPAA compliant because Facebook is not willing to complete a BAA, and it does not have the proper audit and access controls in place.