It is important to remember that no software platform or messaging application can be completely HIPAA compliant, because HIPAA compliance relates to how the software is used not to what it entails or allows.
Software can support HIPAA compliance and include all the necessary security measures to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by those using it.
HIPAA does not require encryption to be used. Once a different, equivalent measure is used in its place, encryption is not needed. As WhatsApp now includes end-to-end encryption, this aspect of HIPAA is adhered to.
HIPAA also requires access controls to be established – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp cannot be regarded as HIPAA compliant. If WhatsApp is added on a smartphone, anyone with access to that smartphone will be able to see the messages in the user’s WhatsApp account, without the requirement to enter in any usernames and passwords. That means any ePHI included in saved conversations would be viewable. Additional security measures may be downloaded on a smartphone to authenticate users before the device can be accessed, but even when those controls have been implemented, alerts about new messages can often be seen without opening the App or unlocking the device.
HIPAA also needs audit controls to be in place – See 45 CFR § 164.312(b). This is another area where WhatsApp cannot be regarded as HIPAA compliant. Messages and attachments are saved to the device, although they can easily be erased. WhatsApp does not keep a record of messages that have been sent. That would mean that all data in the account would need to be backed up and retained. At present, if you change phones, your account will be preserved, but your messages will not.
Then there is the problem of what happens to ePHI in a WhatsApp account on a personal device after the user departs the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently deleted. That would be a logistical conundrum for any covered entity, as it could not be carried out remotely, finding messages would be next to impossible, and users would likely com,plain about their WhatsApp being deleted.
There is some debate about whether a business associate agreement would need to be completed with WhatsApp. Since all data sent through WhatsApp is sent through an encrypted tunnel, WhatsApp could be thought of as to be a mere conduit for information. As such, a business associate agreement would not be needed. Some companies that supply messaging services have access to the key to decrypt data sent in encrypted messages, and will adhere with law enforcement requests and share information if they receive a subpoena, court order, or search warrant.
While WhatsApp will adhere with such requests, the terms and conditions state that access to the content of messages will not be given to law enforcement, only basic account information. WhatsApp says the information that would be accessible, “May include “about” information, profile photos, group information, and address book, if available. WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages, and undelivered messages are deleted from our servers after 30 days.” However, what is not obvious is whether WhatsApp holds a key to unlock the encryption, and whether messages could be seen. Were that to be the case, a business associate agreement would likely be needed.
So can WhatsApp be regarded as HIPAA compliant? At present the answer is no. When it comes to WhatsApp and HIPAA compliance, the service cannot be utilized to send ePHI without risking breaching HIPAA Rules. For general communication, or for sending de-identified PHI, WhatsApp could be used by healthcare workers.