Does WhatsApp show compliance with HIPAA requirements?

WhatsApp! Can life be imagined without this app on our mobile phones? When we have at the tip of our fingerprints an app with which we send out messages on everything from a family outing to an earthshattering political development day in and day out; why should we expect healthcare information to be excluded from WhatsApp messaging?

One thing that is certain is that messaging about medical records on WhatsApp cannot be stopped. The fact that WhatsApp announced that it was introducing end-to-end encryption for its messaging service seemed to clear the air about the core requirement that HIPAA has of patient records-their security. While this fact seems to cheer those in the healthcare industry and the millions of users about the prospect of using a free and relatively secure messaging service such as WhatsApp to transmit electronic protected healthcare information (ePHI); we need to examine if WhatsApp is technically HIPAA-compliant.

But is WhatsApp HIPAA-compliant?

HIPAA Journal, a provider of comprehensive HIPAA news and updates online, has opined that while WhatsApp is certainly not a loose and unsecured platform for transmitting ePHI; technically, it is not HIPAA compliant. Although WhatsApp does offer end-to-end encryption for its messaging; its software is not HIPAA-compliant. How does this fact alter the nature of WhatsApp’s HIPAA compliance? Simple: the software can be manipulated by users! Users can change all the controls that go into the software, such as all that is needed to ensure that ePHI data is confidential, has integrity and is made available.

So, where does this leave us? It means that despite all the encryption that WhatsApp does, HIPAA does not consider it compliant with the requirements set out in 45 CFR § 164.312(a)(1). Why? Because this section requires controls to not only be put in place, but to be implemented as well. This is something WhatsApp does not offer. We all know that WhatsApp does not require user login and password authentication. Suppose your ePHI records are in your WhatsApp on your smartphone and I access the phone, I can easily view your ePHI! I don’t need to enter any passwords or other forms of authentication to access the ePHI. All that it need to have is access to your phone.

Audit controls lacking, too

In addition, the same section, 45 CFR § 164.312(a)(1), requires audit controls for HIPAA devices. WhatsApp clearly does not have this feature. And yes, did you know that WhatsApp attachments and messages are saved to the device and not into WhatsApp? This means that these are not going to be retained by WhatsApp. When you change your device, the entire information is deleted. This is another reason to believe that WhatsApp is not HIPAA compliant.

Finally, there is the complicated issue of what happens when an employee transits from one company to another. What will happen to ePHI received or transmitted on WhatsApp while she was working for one company and the ePHI needs to get updated? The old ePHI needs to be deleted, but where? At the Covered Entity’s side, which is an onerous task to say the least. The exact messages which contains the ePHI are nearly impossible to locate.

Yes, WhatsApp is a very convenient medium for sending and receiving ePHI. But it is not HIPAA compliant. What can be done by healthcare providers is to use this platform to send only information of a very general and not personal nature.