WhatsApp and HIPAA Compliance
When discussing WhatsApp and HIPAA compliance, it is important to be aware of the occasions when WhatsApp can be used to send and receive Protected Health Information; and, when these occasions occur, what it is necessary to do to comply with HIPAA.
Most sources discussing WhatsApp and HIPAA compliance tend to dismiss WhatsApp as a HIPAA compliant channel of communication because of its Security Rule shortcomings and because Meta – the owner of WhatsApp – will not enter into a Business Associate Agreement with HIPAA covered entities and business associates.
However, §164.522(b) of the Privacy Rule requires covered healthcare providers to accommodate reasonable requests from patients for confidential communications via a communication channel of their choice. As WhatsApp is a widely used communication channel, it would be unreasonable to refuse such a request.
Complying with a patient’s request would not make WhatsApp HIPAA compliant, but it would introduce compliance requirements for the healthcare provider responding to a patient’s request – particularly with regards to what happens to Protected Health Information (PHI) once it is received on a device or remaining on a device once it is sent.
WhatsApp and HIPAA Compliance
Although the Department of Health and Human Services (HSS) has not issued specific guidance for WhatsApp and HIPAA compliance, an FAQ published on the HHS website in 2008 implies that responding to a patient request via WhatsApp is permissible provided reasonable safeguards are implemented to protect the privacy and security of PHI.
These safeguards include warning patients that WhatsApp is not a compliant channel of communication, limiting disclosures of PHI to the minimum necessary to fulfil the patient’s request, and copying PHI provided by the patient to a secure environment before deleting it from the device on which it was received (or from which PHI was sent).
To ensure HIPAA compliance, covered healthcare providers are advised to develop a WhatsApp policy, provide HIPAA training on the policy to members of the workforce, and document requests from patients to communicate via WhatsApp. It is also advisable to implement access controls on the WhatsApp Business platform.
In addition, depending on the location of the healthcare provider, it may also be necessary to document an affirmative opt-in by the patient to be contacted by WhatsApp. Healthcare providers who are unsure about when state privacy regulations apply are advised to seek help from an independent compliance advisor with experience in state privacy laws.