WhatsApp is not HIPAA compliant but can be used in healthcare environments in certain circumstances – for example to facilitate communications between healthcare providers that do not disclose Protected Health Information, or to accommodate patients’ requests to communicate via WhatsApp.
When HIPAA covered entities and business associate use any messaging service to create, receive, store, or transmit Protected Health Information (PHI), safeguards must be in place to protect the confidentiality, integrity, and availability of PHI. These safeguards include (but are not limited to):
- Audit logs and access reports that monitor when PHI was accessed, who accessed it, and how PHI was used or disclosed during an active session.
- Procedures to terminate a member of the workforce’s access to PHI when they stop working for a covered entity or business associate, or change roles.
- Information access management to prevent unauthorized persons accessing PHI or authorized persons using or disclosing PHI impermissibly.
- The ability to remotely access PHI maintained on a user’s device in the event of an emergency or other security event (i.e., ransomware attack).
- Automatic log-off mechanisms to mitigate the likelihood of unauthorized persons accessing PHI on a lost or stolen device.
- Ensuring that data at rest is encrypted and undecipherable to a person who gains unauthorized access to a system or device.
- A Business Associate Agreement with the vendor of the messaging service that stipulates the vendor will also comply with HIPAA.
Because WhatsApp lacks these safeguards, it is not possible to make WhatsApp HIPAA compliant. This means the messaging service cannot be used to send or receive PHI except when exceptions exist – for example, when a patient requests communications via WhatsApp. However, there are still circumstances in which it is possible to use WhatsApp in healthcare.
How to Use WhatsApp in Healthcare
Covered entities and business associates may still use WhatsApp in healthcare to communicate with each other provided PHI is not disclosed in a WhatsApp message or video call, and provided the covered entity or business associate has not implemented a workplace policy prohibiting the use of WhatsApp for business purposes.
If there is no policy prohibiting the use of WhatsApp, the messaging service could be used in healthcare for a variety of reasons. These include sharing information informally with colleagues about new clinical procedures, managing workforce schedules, and soliciting feedback from new members of the workforce about HIPAA training.
WhatsApp Compliance and Patient Requests
Although WhatsApp is not HIPAA compliant, healthcare providers are permitted to disclose PHI to patients via WhatsApp if a patient exercises the right to request confidential communication via a non-standard communication channel. Indeed, the Privacy Rule requires healthcare providers to accommodate reasonable requests (see §164.522(b)).
Because WhatsApp is so widely used, it would be considered unreasonable to refuse such a request. However, it is advisable to alert patients to the lack of WhatsApp compliance with HIPAA and document the warning. Healthcare providers can also insist that any request to communicate via a non-standard communication channel is made in writing.
Is WhatsApp HIPAA Compliant? Conclusion
WhatsApp is not HIPAA compliant, but can still be used in healthcare to streamline workflows and accommodate patients’ requests for confidential communication. In the latter case, it is important that policies and procedures exist to ensure PHI is removed from a healthcare provider’s WhatsApp account once it has been sent to a patient.