Is Facebook Messenger™ a HIPAA Compliant Telemedicine Platform?

Messenger™, also known as Facebook Messenger™, is a free instant messaging app developed in 2011 and available on desktop or mobile devices. Facebook Messenger™ allows users to send and exchange messages, photos, stickers, videos, audio, and files, in addition to supporting voice and video calls. In April of 2020 Messenger Rooms™ was launched, allowing users to video chat with up to 50 people without a time limit.

With an increased demand for telemedicine during the coronavirus pandemic, healthcare providers are seeking patient messaging solutions that are easy to integrate with their practice. Since Messenger™ has widespread adoption in the US, as one of that nation’s leading messaging platforms, many healthcare organizations are wondering if the platform can be used for telemedicine. Providers might see Messenger as an easy and familiar solution to reach patients, rather than introducing an entirely new platform. Providers can offer Messenger™ as a solution, which patients already use and are familiar with, instead of having them use a new platform.

While healthcare organizations are looking for quick and convenient turnkey solutions at this time, they should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.

For Facebook Messenger™ to be considered a HIPAA compliant telemedicine platform, it must fulfill all of the following requirements:

  • Employ end-to-end encryption
  • Implement access control
  • Enable audit controls
  • Sign a business associate agreement (BAA)

Is Facebook Messenger™ a HIPAA compliant video chat solution?

Below we assess whether Facebook Messenger™ meets the security and regulatory requirements to be considered HIPAA compliant.

Is Facebook Messenger™ a HIPAA Compliant Telemedicine Platform?
End-to-end encryption

Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so PHI is not vulnerable to interception by third parties. Facebook Messenger™ does include an option to encrypt data, but users must opt-in to this feature.

Access control

Facebook Messenger™ users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device is stolen that contains the Messenger™ app, an unauthorized person will be able to access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger™ is not a HIPAA compliant telemedicine platform.

Digital Front Door

Audit controls

HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger™ would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, therefore, it would be difficult to maintain an audit trail on Facebook Messenger™. Due to a lack of audit controls, Facebook Messenger™ is not a HIPAA compliant video chat solution.

Business associate agreement

Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA so is not a HIPAA compliant telemedicine platform.

What’s the verdict?

Facebook Messenger™ fails to meet all four HIPAA requirements and is not considered a HIPAA compliant telemedicine platform.

In order to implement a HIPAA compliant telemedicine platform patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms, include:

Discover whether the following popular video conferencing tools are HIPAA compliant.

The ubiquity of Messenger™ makes it a tempting solution for patient communication, but its non-compliance with HIPAA means that healthcare organizations should avoid its use. Bridge offers a fully HIPAA-compliant telehealth solution as part of a comprehensive patient engagement platform. The software not only integrates messaging, file-sharing, and video chat across multiple devices, but includes features like patient education, self-scheduling, and appointment reminders under the latest security protocols. Contact us to learn more about how Bridge can help you meet your telehealth needs.

John Deutsch
John Deutsch

Founder and CEO of Bridge Patient Portal, and business owner of 19 years with extensive experience in Healthcare IT. John is a Judge for the 2020 eHealthcare Leadership Awards and has appeared on multiple podcasts, including the Outcomes Rocket Podcast and the Hospital Finance Podcast.