HIPAA-covered entities must ensure an audit trail is maintained. Any PHI sent through a chat messaging platform would need to be saved and hardware, software or procedural mechanisms would be required to ensure any activity involving PHI could be reviewed. It would be difficult to manage an audit trail on Facebook Messenger and there are also no controls to stop messages from being deleted by users.
Is a Business Associate Agreement Necessary?
The HIPAA Conduit Exception allows HIPAA-covered groups to share information via certain services without the need for a business associate agreement. For instance, it is not necessary to enter into a BAA with an Internet Service Provider (ISP) or the U.S. Postal Service. Those entities only behave as conduits.
However, cloud service providers are not included in that exception. HHS says on its website, saying “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”
Facebook would therefore need to complete a BAA with a HIPAA-covered entity before Facebook Messenger could be used to send/share PHI, and at the time of writing, Facebook is not willing to sign a BAA for its Messenger service.
Workplace by Facebook HIPAA Compliance
Workplace by Facebook is a messaging service that can be implemented by businesses to communicate internally. The Workplace Enterprise Agreement says in its prohibited data section, “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”
So is Facebook Messenger HIPAA Compliant?
Without a BAA, and without the correct audit and access controls, we are not of the opinion that Facebook Messenger is HIPAA compliant. If you want to use a chat program for communicating PHI, we would advise that you use a HIPAA-compliant messaging service that has been developed specifically for the healthcare sector. TigerText for instance. These secure healthcare text messaging solutions incorporate all the necessary controls to make sure PHI can be sent securely, and include access controls, audit controls, and complete end-to-end encryption.