In 2016, WhatsApp announced it was introducing end-to-end message encryption. For healthcare organizations, this added security measure raised the questions – as messages are now encrypted – is WhatsApp HIPAA compliant, and could it be used to communicate Protected Health Information (PHI).
With the new encryption measures, WhatsApp’s services offer far greater protection against man-in-the-middle attacks and message interception than traditional SMS messages and some other text messaging platforms. Despite these measures, WhatsApp is not a HIPAA compliant messaging platform. The following article explains why.
WhatsApp and HIPAA Compliance
It is important to note that, even with sophisticated encryption and strong security measures, no software platform or messaging app can be truly HIPAA compliant. This is because HIPAA compliance is as much about how the users use the software as it is about the software itself.
It is possible for developers to design software which can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI. However, those controls can sometimes be circumnavigated by users.
HIPAA does not demand encryption is used to protect PHI. Provided an alternate, equivalent measure is implemented in its place, and that the organization documents a justifiable reason why it chose not to encrypt data, the encryption of electronic PHI is not required.
However, HIPAA requires other security safeguards are implement – for example access controls (see 45 CFR § 164.312(a)(1)). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone that is not protected by a PIN number, anyone can pick up the smartphone and view the messages in the user’s WhatsApp account.
That means any electronic PHI in saved conversations would be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.
HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area in which the use of WhatsApp is not HIPAA compliant. Messages and attachments are saved to the device, although the user can easily delete them. WhatsApp does not retain a record of messages that have been delivered. That would mean that all data in the account would need to be backed up and retained. Currently, if you switch phones, your account will be preserved, but your messages will not be.
Then there is the issue of what happens to electronic PHI in a WhatsApp account on a personal device after the user leaves the organization. Controls would need to be incorporated to ensure all messages containing electronic PHI are permanently erased. This provides a logistical difficulty for a covered entity. This action cannot be performed remotely, and finding messages would be virtually impossible. Furthermore, users may object to data in their WhatsApp account being deleted.
There is some ambiguity as to whether a business associate agreement would need to be signed with WhatsApp – if WhatsApp was HIPAA compliant. Since all data transmitted through WhatsApp is sent through an encrypted tunnel, WhatsApp could be a mere conduit for information by HIPAA legislation. If this is the case, then a business associate agreement would not be required between the CE and WhatsApp for them to use the service.
Some companies that provide messaging services have access to the key to decrypt data sent in encrypted messages, and will comply with law enforcement requests and divulge information if they receive a subpoena, court order, or search warrant.
While WhatsApp will comply with such requests, the terms and conditions state that access to the content of messages will not be provided to law enforcement, only basic account details. WhatsApp says the information that would be disclosed, “May include “about” information, profile photos, group information, and address book, if available”. They further state that WhatsApp “does not store messages once they are delivered or transaction logs of such delivered messages, and undelivered messages are deleted from our servers after 30 days.”
Considering the issues discussed in this article, the use of WhatsApp to communicate electronic PHI does not comply with HIPAA. Therefore, the service cannot be used to send electronic PHI without violating HIPAA. However, for general communications, or for sending de-identified PHI, WhatsApp could be used by healthcare professionals without violating HIPAA.