Is WhatsApp® a HIPAA compliant telemedicine software?
In order for a communications platform to be considered HIPAA compliant, it must fulfill the following requirements:
- Employ end-to-end encryption
- Implement access control
- Enable audit controls
- Sign a business associate agreement (BAA)
WhatsApp® provides end-to-end encryption, but that does not mean that it is HIPAA compliant. There are other facets of HIPAA that must be satisfied before the software can be deemed compliant.
- Since WhatsApp® does not require users to enter a password for every session, it does not provide the required access controls.
- Because messages and attachments are easily deleted from Whatsapp®, audits cannot be conducted, which is necessary for HIPAA compliance.
- WhatsApp® lacks the controls to make sure all communications that contain ePHI (electronic personal health information) are completely deleted remotely once an employee leaves the employment of a Covered Entity.
- WhatsApp® has not agreed to sign a BAA with a covered entity.
WhatsApp® is NOT a HIPAA compliant telemedicine software and should not be used to share ePHI or deliver online healthcare since doing so would violate HIPAA regulations. Healthcare professionals may use WhatsApp® for general communication or for providing de-identified PHI.
If healthcare professionals would like to leverage a HIPAA compliant video communication tool, some companies have already stated that they will enter into a HIPAA business associate agreement and follow HIPAA compliance regulations. The Office for Civil Rights (OCR) has provided a list of HIPAA compliant telemedicine software:
- Skype for Business™
- Google Hangouts™
- Zoom for Healthcare®
- Cisco® Webex Meetings / Webex Teams
- Amazon Chime™
- Spruce Health Care Messenger™
Bridge Patient Portal provides an all-in-one patient engagement software that is highly customizable, meeting some of the most complex needs of high volume, multi-specialty healthcare organizations including HIPAA compliant messaging.
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.