WhatsApp is not HIPAA compliant and cannot be used for sending individually identifiable health information except in emergency situations, when an individual authorizes a disclosure via a non-compliant communications channel, or when a patient requests confidential communications via WhatsApp.
WhatsApp is not HIPAA compliant because it lacks the capabilities that would enable HIPAA covered entities to comply with the Administrative, Physical, and Technical Safeguards of the Security Rule. There are no software integrations that can make WhatsApp HIPAA compliant, and the owners of WhatsApp – Meta – will not enter into Business Associate Agreements.
In many cases, these compliance shortcomings have been sufficient for HIPAA covered entities to dismiss WhatsApp as a communication option. However, there are circumstances in which it is possible for healthcare providers to use WhatsApp for healthcare despite its lack of capabilities to support HIPAA compliance. Examples of these circumstances include:
- When healthcare providers communicate with each other without disclosing individually identifiable health information.
- When an event compromises systems that contain Protected Health Information (PHI) and an option to safely transmit PHI is WhatsApp.
- When the Department of Health and Human Services issues a Notice of Enforcement Discretion for WhatsApp during a natural disaster.
- When an individual authorizes a disclosure of PHI to a third party via a non-compliant communications channel such as WhatsApp.
- When a patient requests confidential communications with a healthcare provider via WhatsApp as allowed by 164.522(b) of HIPAA.
Are Patient Communications via WhatsApp HIPAA Compliant?
The last of these examples is interesting because, under §164.522(b) of HIPAA, healthcare providers are “required” to accommodate reasonable requests – even when the request includes the communication of PHI over a non-compliant communications channel. In such cases, although WhatsApp is not HIPAA compliant, the use of WhatsApp is compliant.
Previous HHS guidance relating to communicating with patients via unsecure email requires healthcare providers to apply reasonable safeguards when accommodating patient requests. In the context of making patient communications via WhatsApp HIPAA compliant, safeguards should include applying access controls to the provider’s WhatsApp account and limiting disclosures of PHI to the minimum necessary to achieve the purpose of the disclosure.
It is also advisable to implement procedures for exporting PHI collected from a patient in a WhatsApp message to a compliant storage solution prior to deleting the message. It is also recommended to use the disappearing messagesfunction for outgoing messages and prevent media from being copied by anybody other than the recipient of the WhatsApp message.
One final consideration to take into account is that, when HHS issued its guidance in 2008, it was prior to many states passing their own data privacy regulations. The guidance at the time suggested that, if a patient contacts a healthcare provider by WhatsApp, it is safe for the healthcare provider to assume that WhatsApp messages are acceptable to the patient. However, many new state data privacy regulations now require a patient to affirmatively opt-in before healthcare providers can make this assumption.
HIPAA covered entities unsure about when it is permissible to use WhatsApp for healthcare activities, or what safeguards should be implemented to make patient communications via WhatsApp HIPAA compliant, are advised to seek help from a HIPAA compliance professional.