No, WhatsApp is not HIPAA compliant, primarily because it does not offer a Business Associate Agreement (BAA), a requirement for HIPAA compliance, and lacks certain necessary safeguards, such as comprehensive audit controls and encryption standards required for the secure handling of Protected Health Information (PHI).
Even with the more robust security, it is unlikely that WhatsApp checks all the boxes needed to be fully HIPAA compliant. Below, we will outline several factors which may negatively impact the ability of HIPAA covered entities and their employees to use WhatsApp in conjunction with Protected Health Information (PHI).
What’s Wrong With WhatsApp?
A general rule to keep in mind when considering the compliance of software or applications is to always remember that HIPAA compliance is ultimately dependent on how the software is used by the person interacting with it. Even the most well designed software, incorporating all the necessary features which would facilitate and even promote HIPAA compliant use, can be manipulated in such a way as to breach the privacy of PHI or violate HIPAA rules. This is not necessarily always caused by malicious use; human error can easily lead to costly or embarrassing mistakes.
When we think back to WhatsApp, the main reason people were considering its use with PHI to be allowed was because of its encryption capability. However, it should be noted that HIPAA does not expressly require that encryption be used. A significantly robust alternate system would satisfy this aspect of HIPAA requirements just as well as WhatsApp’s end-to-end encryption.
There are two factors upon which we can convincingly build arguements against WhatsApp’s HIPAA compliance. The first is that HIPAA requires access controls to be in place to prevent unauthorized parties gaining access to PHI. On many smartphones, there is not a sufficient login or identification system to meet the necessary level of security. Even more hazardous, many people set their WhatsApp to display messages even if the phone is electronically “locked”. As such, anyone who accessed the smartphone could conceivably access or see the WhatsApp conversations or messages which contain PHI, resulting in a breach of HIPAA.
The second major flaw of WhatsApp that impacts its ability to be used in compliance with HIPAA is its lack of an audit function. To comply with HIPAA, software and other programs must track and record how PHI is accessed, transmitted, altered, or deleted. WhatsApp does not include sufficient functions to log all of this information. Messages can be sent and deleted without a trace. As well as this, no conversation history or backup is kept, meaning that changing or losing a phone would result in all message or conversation data on that phone being lost.
On top of these two main reasons, there are questions as to whether WhatsApp would be classed as a Business Associate or as an information conduit. This would impact whether agreements would need to be in place between WhatsApp and the HIPAA covered entity.
As a result of these issues, it appears that, at this time, WhatsApp is not HIPAA compliant.