Messenger™, also known as Facebook Messenger™, is a free instant messaging app developed in 2011 and available on desktop or mobile devices. Facebook Messenger™ allows users to send and exchange messages, photos, stickers, videos, audio, and files, in addition to supporting voice and video calls. In April of 2020 Messenger Rooms™ was launched, allowing users to video chat with up to 50 people without a time limit.
With an increased demand for telemedicine during the coronavirus pandemic, healthcare providers are seeking patient messaging solutions that are easy to integrate with their practice. Since Messenger™ has widespread adoption in the US, as one of that nation’s leading messaging platforms, many healthcare organizations are wondering if the platform can be used for telemedicine. Providers might see Messenger as an easy and familiar solution to reach patients, rather than introducing an entirely new platform. Providers can offer Messenger™ as a solution, which patients already use and are familiar with, instead of having them use a new platform.
While healthcare organizations are looking for quick and convenient turnkey solutions at this time, they should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.
For Facebook Messenger™ to be considered a HIPAA compliant telemedicine platform, it must fulfill all of the following requirements:
- Employ end-to-end encryption
- Implement access control
- Enable audit controls
- Sign a business associate agreement (BAA)
Is Facebook Messenger™ a HIPAA compliant video chat solution?
Below we assess whether Facebook Messenger™ meets the security and regulatory requirements to be considered HIPAA compliant.
Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so PHI is not vulnerable to interception by third parties. Facebook Messenger™ does include an option to encrypt data, but users must opt-in to this feature.
Facebook Messenger™ users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device is stolen that contains the Messenger™ app, an unauthorized person will be able to access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger™ is not a HIPAA compliant telemedicine platform.
HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger™ would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, therefore, it would be difficult to maintain an audit trail on Facebook Messenger™. Due to a lack of audit controls, Facebook Messenger™ is not a HIPAA compliant video chat solution.
Business associate agreement
Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA so is not a HIPAA compliant telemedicine platform.
What’s the verdict?
Facebook Messenger™ fails to meet all four HIPAA requirements and is not considered a HIPAA compliant telemedicine platform.
In order to implement a HIPAA compliant telemedicine platform patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms, include:
Discover whether the following popular video conferencing tools are HIPAA compliant.
- Is Apple FaceTime® a HIPAA Compliant Telehealth Software Platform
- Is Skype™ HIPAA Compliant?
- Is WhatsApp® a HIPAA compliant telemedicine software?
- Is Zoom® a HIPAA Compliant Telehealth Software?