Is Whatsapp a HIPAA compliant telemedicine software?
Healthcare professionals have recently increased their efforts to provide patients with remote consultations and HIPAA compliant messaging. Some have turned to WhatsApp, a cross-platform messaging and VoIP (Voice over Internet Protocol) service that allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and other media. But you might be wondering: Is WhatsApp a HIPAA compliant telemedicine software?
In order for a communications platform to be considered HIPAA compliant, it must fulfill the following requirements:
- Employ end-to-end encryption
- Implement access control
- Enable audit controls
- Sign a business associate agreement (BAA)
WhatsApp provides end-to-end encryption, but that does not mean that it is HIPAA compliant. There are other facets of HIPAA that must be satisfied before the software can be deemed compliant.
- Since WhatsApp does not require users to enter a password for every session, it does not provide the required access controls.
- Because messages and attachments are easily deleted from Whatsapp, audits cannot be conducted, which is necessary for HIPAA compliance.
- WhatsApp lacks the controls to make sure all communications that contain ePHI (electronic personal health information) are completely deleted remotely once an employee leaves the employment of a Covered Entity.
- WhatsApp has not agreed to sign a BAA with a covered entity.
Whatsapp is NOT a HIPAA compliant telemedicine software and should not be used to share ePHI or deliver online healthcare since doing so would violate HIPAA regulations. Healthcare professionals may use WhatsApp for general communication or for providing de-identified PHI.
If healthcare professionals would like to leverage a HIPAA compliant video communication tool, some companies have already stated that they will enter into a HIPAA business associate agreement and follow HIPAA compliance regulations. The Office for Civil Rights (OCR) has provided a list of HIPAA compliant telemedicine software:
- Skype for Business
- Google G Suite Hangouts Meet