Is Facebook Messenger HIPAA compliant and can it be used by healthcare professionals to share protected health information (PHI) in compliance with HIPAA Rules?
Healthcare professionals are increasingly using non-traditional communication tools and platforms. Many are wondering if these platforms can be used to share PHI. Somewhat thanks to Facebook’s popularity, their chat application Facebook Messenger is one of the most common messaging services used. Below, we will explore the HIPAA rules concerning Facebook Messenger and ask if Facebook Messenger is HIPAA complaint.
HIPAA requires that any platform used to share PHI must include a number of measures to protect the information and prevent it being accessed while in transit. One way to achieve this is to encrypt the data. Like a number of messaging apps, Facebook messenger can encrypt data in transit, and this is done to standards that meet HIPAA requirements. This is an optional feature which users must specifically enable. Once his has been done, only the recipient and sender will be able to view the message.
Access and authorization controls are also necessary for HIPAA compliance. Should a phone be lost or stolen, unauthorized individuals could gain access to the data if sufficient security measures are not in place. The device itself would need to be protected as the Messenger app does not require a user to log in to each session.
Another required feature is the ability to maintain an audit trail. Back-ups of PHI shared through Facebook Messenger would need to be kept and some procedure would need to be put in place to allow for activity to be monitored. Facebook Messenger does not currently include a feature that would facilitate an audit trail and users are free to delete messages without any back-up.
Is a Business Associate Agreement Required?
In accordance with the HIPAA Conduit Exception, some services used to send data, such as Internet Service Providers and the US Postal Service, do not need to have business associate agreements (BAAs) in place, as they are considered information conduits.
Cloud platforms do not fall under this exception. The Department of Health and Human Services specifically states on its website that “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”
Because of this, a BAA between Facebook and the covered entity would be required. To date, Facebook have given no indication that they would be willing to enter into a BAA with a covered entity for the Messenger app.
Workplace by Facebook
Workplace by Facebook is a professional messaging service to facilitate internal messaging in a business. If it is internal only, is Workplace by Facebook HIPAA compliant? Unfortunately not, according to the Workplace Enterprise Agreement, which states “you agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”
Is Facebook Messenger HIPAA Compliant?
Having examined all of this information, is Facebook Messenger HIPAA compliant? Lacking an audit control feature, as well as sufficient access safeguards, it appears that Facebook Messenger is not HIPAA compliant. Should your business require a chat platform to share PHI, there are a number of options available, such as TigerText, that have been designed with the healthcare sector in mind. Incorporating all required security measures and controls to protect PHI, such as end-to-end encryption, these may be a much better choice for HIPAA covered entities.