Is WhatsApp HIPAA Compliant?

Following the introduction of end-to-end encryption, many Covered Entities are wondering is WhatsApp HIPAA compliant. Although end-to-end encryption protects PHI during transit, the popular messaging app does not include all the features required to comply with the Health Insurance Portability and Accountability Act.

It is a common misconception that encryption alone make an app HIPAA compliant. In fact, HIPAA does not even stipulate that encryption is mandatory – instead classifying it as an “addressable” requirement that does not have to be implemented if a Covered Entity believes (and documents) an alternative safeguard is equally as effective at ensuring the confidentiality, integrity and availability of PHI.

Furthermore, even if an app encrypts messages in transit, other security mechanisms need to be present in order to for the app to be HIPAA compliant. WhatsApp lacks these security mechanisms so, although it is safe to send de-identified information via the messaging app, the answer to the question Is WhatsApp HIPAA Compliant is definitely “No”.

What Security Mechanisms are WhatsApp Lacking?

In order for WhatsApp to be HIPAA compliant, there would have to be a significant number of security mechanisms added to the software. These include:

  • On-device encryption. The end-to-end encryption provided by WhatsApp is only a tunnel. Once a message arrives on a device, it is decrypted.
  • Access controls to stop anybody picking up a mobile device onto which WhatsApp has been installed and reading confidential messages.
  • Similarly, WhatsApp would have to have an automatic time-out function to prevent unauthorized access to a mobile device left unattended.
  • Message notifications would have to be changed as, in their current format, they can be viewing without unlocking the device or opening the app.
  • There are no audit controls and chat history is stored on the device, so if a device is lost or stolen, there is no way of deleting messages remotely.
  • The issue about remotely deleting messages containing PHI also occurs should an employee leave the employment of a Covered Entity.

The above list is not exhaustive but unfortunately, it has been reported some healthcare professionals are using WhatsApp to communicate PHI. Not only does this risk the unauthorized disclosure of PHI, but users could delete PHI without it being properly recorded elsewhere. There is also a risk that the device could be hacked remotely – exposing all the PHI stored on the device to cybercriminals.

Issues with Regard to Business Associate Agreements

There are also issues with regard to Business Associate Agreements that further address the question of Is WhatsApp HIPAA Compliant. There is an argument that, as WhatsApp only acts as a conduit for the communication of PHI and does not have access to the content, a Business Associate Agreement would not be necessary.

However, WhatsApp could be required to comply with a court order to release user information that – although not including messaging content – could include personal information about the user, their profile, their address book and groups they belong to. In theory, these elements of a WhatsApp account could provide sufficient personally identifiable information to constitute a violation of HIPAA.

In conclusion, no messaging app should be considered HIPAA compliant because HIPAA compliance is about how users use the software rather than the software itself. Regarding the question of are alternative messaging service to WhatsApp HIPAA Compliant, Covered Entities should seek professional advice before permitting staff to use them for communicating PHI.