Facebook is one of the largest social media platforms the world has ever seen and almost everyone is familiar with its Messenger tool, with many having the application installed on their smart phone or mobile device, but can Facebook messenger be used in compliance with the Health Insurance Portability and Accountability Act, more commonly referred to as HIPAA?
Given that many doctors, nurses and patients use Facebook’s Messenger service already, it may seem quite well placed to be used as a way to communicate and share information between and among these groups. In strictly regulated industries such as healthcare, however, there are a number of standards that have to be met. When sensitive personal data like protected health information (PHI) is being managed, shared or stored, HIPAA requires that certain criteria be met.
One of the more important aspects is implementing safeguards to avoid the possibility of data being intercepted while being shared or transferred. The most common way to achieve this is to encrypt the data, so that even if the a transmission is picked up by an unauthorized person, they will not be able to decipher the encryption and access the actual patient information. As encryption becomes more widespread, it is being adopted by many chat services, including Facebook Messenger. At first glance this seems satisfactory, until we examine further and see that encryption of data in transit is a setting that has to be enabled and for the this aspect of HIPAA to be satisfied, both sender and receiver must have the activated function. While Facebook Messenger can comply with HIPAA in this regard, there are many more considerations to be checked.
Another vital element which services must include to be HIPAA compliant is enforcing a manner to verify that information is only accessed by authorized parties. A common method to achieve this is with the use of a username and password combination. While such a combination must be entered to gain access to Facebook Messenger, it is not necessary to login in to the service at every use, introducing the risk that unauthorized parties could gain access to PHI should a phone or other mobile device be lost or stolen. Additional security, for example an automatic log out function or a periodic auto-locking function on the phone, would need to be introduced and enabled to reduce the risk of a stolen device being used to access PHI. Remote deletion of any PHI stored on the phone would also have to be possible.
Crucially, HIPAA compliance requires a facility to record user activity, including what PHI was accessed, by whom, when, and what was done with it. Facebook Messenger does not currently have such a function built in and so some other kind of tertiary system or backup would need to be created to log the necessary details, potentially from scratch.
Business Associate Agreement
As with all services which HIPAA-covered entities might want to use to treat or share PHI, a Business Associate Agreement would need to be in place between the service provider and the HIPAA-covered entity, in this case, with Facebook to cover Messenger. This is not something which we have seen to date.
Is Facebook Messenger HIPAA complaint?
Without appropriate audit functions and a BAA, it would appear that Facebook Messenger is not HIPAA complaint.