Facebook Messenger & HIPAA Compliance

One of the most used chat platforms is Facebook Messenger. To help assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI, in order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted on the move. This means messages need to be encrypted. Many chat services, including Facebook Messenger, do encrypt data on the move, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Once that setting has been activated, only the sender and the receiver will be able to see the messages. However, there is more to HIPAA compliance than just going ahead and encrypting data in transit.There must be access and authentication controls to see to it that only authorized individuals can log on to the program. Facebook Messenger could be accessed by unauthorized peoples if a phone was stolen, so it would be necessary for the device to have additional security controls to ensure apps like Facebook Messenger could not be accessed in the event of loss or theft. Facebook Messenger users don’t have to login each time to view messages on the application.

HIPAA-covered entities must ensure an audit trail is maintained. Any PHI sent through a chat messaging platform would need to be saved and hardware, software or procedural mechanisms would be required to ensure any activity involving PHI could be reviewed. It would be difficult to manage an audit trail on Facebook Messenger and there are also no controls to stop messages from being deleted by users.

Is a Business Associate Agreement Necessary?

The HIPAA Conduit Exception allows HIPAA-covered groups to share information via certain services without the need for a business associate agreement. For instance, it is not necessary to enter into a BAA with an Internet Service Provider (ISP) or the U.S. Postal Service. Those entities only behave as conduits.

However, cloud service providers are not included in that exception. HHS says on its website, saying “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”

Facebook would therefore need to complete a BAA with a HIPAA-covered entity before Facebook Messenger could be used to send/share PHI, and at the time of writing, Facebook is not willing to sign a BAA for its Messenger service.

Workplace by Facebook HIPAA Compliance

Workplace by Facebook is a messaging service that can be implemented by businesses to communicate internally. The Workplace Enterprise Agreement says in its prohibited data section, “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

So is Facebook Messenger HIPAA Compliant?

Without a BAA, and without the correct audit and access controls, we are not of the opinion that Facebook Messenger is HIPAA compliant. If you want to use a chat program for communicating PHI, we would advise that you use a HIPAA-compliant messaging service that has been developed specifically for the healthcare sector. TigerText for instance. These secure healthcare text messaging solutions incorporate all the necessary controls to make sure PHI can be sent securely, and include access controls, audit controls, and complete end-to-end encryption.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes