When WhatsApp revealed that it was introducing end-to-end encryption, it opened up the potential for healthcare outfits to use the service as a practically free secure messaging app, but is WhatsApp HIPAA compliant?
Many healthcare worker have sought an answer to the question is WhatsApp HIPAA compliant, and some healthcare workers are already using the text messaging app to share protected health information (PHI).
However, while WhatsApp does provide much more security than SMS messages and some other text messaging platforms, we are of the opinion that WhatsApp is not a HIPAA compliant.
Why is WhatsApp not HIPAA Compliant?
First, it should be remembered that that no software platform or messaging app can be 100% HIPAA compliant, because HIPAA compliance is not concerned with software. It is concerned with users. Software can allow HIPAA compliance and incorporate all the obligatory safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be disregarded by users.
HIPAA does not require that encryption be used. If a different, equivalent measure is used in its place, encryption is not required. Since WhatsApp now provides end-to-end encryption, this aspect of HIPAA is satisfied.
HIPAA also requires access controls to be configured – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp cannot be seen as HIPAA compliant. If WhatsApp is downloaded to a smartphone, anyone with access to that smartphone will be able to access the messages in the user’s WhatsApp account, without the need to provide any usernames and passwords. That means any ePHI included in saved conversations would be viewable. Extra security controls may be downloaded on a smartphone to authenticate users before the device can be viewed, but even when those controls have been applied, alerts about new messages can often be seen without opening the App or unlocking the device.
HIPAA also necessitates the use of audit controls – See 45 CFR § 164.312(b). This is another facet where WhatsApp is not HIPAA compliant. Messages and attachments are saved to the device itself, although they can easily be erased. WhatsApp does not keep a record of messages that have been sent. That would mean that all data in the account would need to be backed up and retained. At present, if you switch phones, your account will be preserved, but your messages will not be restored.
Then there is the problem of what takes place regarding ePHI in a WhatsApp account on a personal device if the user leaves their role in the company. Controls would need to be included to see to it that all messages containing ePHI are permanently deleted. That would be a logistical headache for any covered outfit, as it could not be completed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being unavailable.
There has been some discussion regarding whether a business associate agreement would need to be completed with WhatsApp. As all data sent using through WhatsApp is shared via an encrypted tunnel, WhatsApp could be considered to be a simple conduit for information. As such, a business associate agreement would not be an obligation. Some companies that provide messaging services have access to the key to decrypt data sent in encrypted messages, and will adhere with law enforcement requests and share information if they issued with a subpoena, court order, or search warrant.
While WhatsApp will adhere with requests like this, the terms and conditions state that access to the content of messages will not be given to law enforcement, only simple account details. WhatsApp says the information that would be shared, “May include “about” information, profile photos, group information, and address book, if available. WhatsApp does not store messages once they are shared or transaction logs of such delivered messages, and unsent messages are removed from our servers after 30 days.” However, what is not known is whether WhatsApp holds a key to unlock the encryption, and whether messages could be accessed. Were this to be so, a business associate agreement would likely be necessary.
So, in our opinion, WhatsApp in its current form is not HIPAA compliant. When it comes to WhatsApp and HIPAA compliance, the service cannot be deployed as a method of sending ePHI without possibly breaching HIPAA Rules.