WhatsApp is not HIPAA compliant and cannot be used to send and receive Protected Health Information unless a patient specifically requests confidential communications via WhatsApp. However, there are other scenarios in which it is possible to use WhatsApp for healthcare.
In 2016, WhatsApp announced the implementation of end-to-end encryption across all web and mobile apps. Not only are chat messages encrypted, but also images, attachments, and voice calls. In theory, this would make WhatsApp an ideal solution to ensure the confidentiality of Protected Health Information (PHI) when it is communicated electronically.
However, WhatsApp lacks many of the capabilities required to comply with other standards of the Security Rule. Additionally, in its Business Terms, WhatsApp makes it clear the service is not suitable for “entities regulated by laws […] with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”
Because of this clause, HIPAA Covered Entities are unable to enter into a Business Associate Agreement with WhatsApp because it would violate §164.308 of the Security Rule. This standard requires Covered Entities to “obtain satisfactory assurances” that the Business Associate will safeguard PHI shared by the Covered Entity – something WhatsApp is unable to provide.
Can WhatsApp Access Encrypted PHI?
There is an argument that WhatsApp does not qualify as a Business Associate because communications are encrypted by each user’s device, so WhatsApp cannot access encrypted PHI because it does not have the encryption key. However, the Department for Health and Human Services (HHS) has published guidance clarifying this issue.
The guidance states that, even though a provider of a cloud service cannot access PHI, they still qualify as a Business Associate because encryption alone does not ensure the confidentiality, integrity, and availability of PHI. Additionally, WhatsApp would not be exempt from HIPAA compliance under the “conduit exception” because it has persistent access to PHI.
Consequently, although WhatsApp can be used to send and receive messages that do not contain PHI (i.e., work schedules, appointment reminders, etc.), WhatsApp is not considered to be HIPAA compliant by HHS and should not be used to send or receive PHI – except when circumstances exist that permit the communication of PHI via non-compliant channels of communication.
Communicating PHI via WhatsApp
Strictly speaking, there is only one circumstance in which it is permissible to send PHI via WhatsApp and this is when a patient exercises their right to request confidential communications via a specific channel or platform (see §164.522(b)). If the request is reasonable, and safeguards are implemented to ensure the privacy of PHI, it is possible to send PHI to a patient via WhatsApp.
In this circumstance, it is a best practice to warn the patient that WhatsApp does not support HIPAA compliance and ask for the request to be put in writing along with an acknowledgement the patient has been warned of the risks of communicating via WhatsApp. Both the warning and the request should be documented to prevent civil penalties in the event of a HIPAA audit.
With regards to receiving PHI from patients via WhatsApp, this is perfectly okay because patients are not Covered Entities and not required to comply with the Privacy and Security Rules. However, policies and procedures have to be put in place to determine what happens to the PHI once it has been received by a healthcare professional via WhatsApp.
Is WhatsApp HIPAA Compliant? Conclusion
Provided communications do not include PHI, it is permissible for healthcare professionals to use WhatsApp to (for example) communicate with colleagues about clinical situations, share scientific information, and manage agendas. It is also permissible to receive PHI from patients via WhatsApp provided the PHI is subsequently used and disclosed in compliance with the Privacy Rule.
What is not permissible is sharing PHI with colleagues via WhatsApp or communicating PHI with patients via WhatsApp without a patient’s consent. Although there are occasions when HHS’ Office for Civil Rights exercises “enforcement discretion” for such events, this is generally only during a public health emergency and only for specific purposes.
Consequently, healthcare professionals and other HIPAA Covered Entities and Business Associates are advised to limit the use of WhatsApp to avoid inadvertent HIPAA violations and adopt an alternate messaging platform that does support HIPAA compliance. If you are unsure about what type of platform might be best for your organization, you should seek professional compliance advice.