In 2016, WhatsApp announced it was introducing end-to-end encryption for messages sent using its services. This added security measure allows for healthcare organizations to potentially use the platform as a low-cost secure messaging system for the transfer of ePHI. However, there still exists some debate regarding whether WhatsApp is fully HIPAA compliant.
With the new encryption measures, WhatsApp’s services offer far greater protection than traditional SMS messages and some other text messaging platforms. Despite these measures, many believe that WhatsApp is not a HIPAA compliant messaging platform. We also take this standpoint, and we shall use the following article to demonstrate our belief that WhatsApp is non-HIPAA compliant.
WhatsApp and HIPAA Compliance
It is important to note that, even with sophisticated encryption and strong security measures, no software platform or messaging app can be truly HIPAA compliant. This is because HIPAA compliance is as much about how the users use the software as it is about the software itself.
It is possible for developers to design software which can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI. However, those controls can easily be undermined by its users.
It is to the surprise of many that HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is implemented in its place, and that the covered entity can provide a valid reason as to why they chose not to encrypt the data, encryption of ePHI is not required. Since WhatsApp now includes end-to-end encryption, this aspect of HIPAA is satisfied.
HIPAA also requires access controls to be implemented – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone, anyone with access to that smartphone will be able to view the messages in the user’s WhatsApp account, without the need to enter in any usernames and passwords as the user is permanently logged in. That means any ePHI included in saved conversations would be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.
HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area in which the use of WhatsApp is not HIPAA compliant. Messages and attachments are saved to the device, although the user can easily delete them. WhatsApp does not retain a record of messages that have been delivered. That would mean that all data in the account would need to be backed up and retained. Currently, if you switch phones, your account will be preserved, but your messages will not be.
Then there is the issue of what happens to ePHI in a WhatsApp account on a personal device after the user leaves the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently erased. This provides a logistical difficulty for a covered entity. This action cannot be performed remotely, and finding messages would be virtually impossible. Furthermore, users would likely object to their WhatsApp account being deleted.
There is some ambiguity as to whether a business associate agreement would need to be signed with WhatsApp. Since all data transmitted through WhatsApp is sent through an encrypted tunnel, WhatsApp could be a mere conduit for information by HIPAA legislation. If this is the case, then a business associate agreement would not be required between the CE and WhatsApp for them to use the service.
Some companies that provide messaging services have access to the key to decrypt data sent in encrypted messages, and will comply with law enforcement requests and divulge information if they receive a subpoena, court order, or search warrant.
While WhatsApp will comply with such requests, the terms and conditions state that access to the content of messages will not be provided to law enforcement, only basic account details. WhatsApp says the information that would be disclosed, “May include “about” information, profile photos, group information, and address book, if available. They further state that WhatsApp “does not store messages once they are delivered or transaction logs of such delivered messages, and undelivered messages are deleted from our servers after 30 day.”
It is unclear whether WhatsApp holds a key to unlock the encryption, and whether messages could be accessed by an unauthorised party. If they could access the content of the messages, alongside the information mentioned above, a business associate agreement would likely be required.
It is out conclusion that, considering all the ways outlined in this article in which the use of WhatsApp threatens the integrity of ePHI, that the use of WhatsApp is non-HIPAA compliant. The service cannot be used to send ePHI without risking violating HIPAA Rules. However, for general communication, or for sending de-identified PHI, WhatsApp could be used by healthcare professionals without violating HIPAA legislation.