Dear Midwife: Here's why WhatsApp is not HIPAA-compliant

By: Facundo Gauna (Founder/CEO)

WhatsApp’s encryption technology is excellent for the everyday user. It’s wonderful that it protects the information of everyday people, even from the eyes of internal employees and automated systems within WhatsApp. Privacy is such an important topic for social media companies because there was a time when they sold the information they gathered to monetize their services. WhatsApp’s end-end encryption changes that because only the phone part of a conversation can decrypt the data. Also, WhatsApp is very popular in other countries that worry about the prying eyes of the government, and it’s also very popular in places where telecom companies are charging per text message sent.

This article will cover whether WhatsApp can be utilized while complying with all HIPAA requirements.

Note: This article has been reviewed by a HIPAA third-party consultant for its accuracy.

Before we get started

In this article, we assume you're an out-of-hospital midwife who runs a solo practice or is part of a group practice. If you're a different healthcare provider, we hope you find this relevant, valuable, and, most likely, still applicable. Having a basic understanding of HIPAA compliance requirements will be helpful.

The short

  • No BAA agreement - Although WhatsApp has a tremendous end-to-end encryption feature, Meta, the company that owns WhatsApp, does not issue the Business Associate Agreements (BAAs) necessary for HIPAA compliance.
  • Based on established guidelines issued by the U.S. Department of Health and Human Services (HHS), WhatsApp does not meet the required security standards for a telehealth application. Therefore, WhatsApp must not be used as a telehealth platform for communicating with patients.

Why is WhatsApp not HIPAA compliant despite its encryption features?

For HIPAA compliance, as a “covered entity,” you must execute and maintain a BAA with other companies or service providers (i.e. business associates) that help in your business functions. Any service provider who can access, maintain, create, store, or transmit any of your patient PHI is considered a Business Associate. In this case, Meta would be considered a Business Associate, and at the time of writing, they do not issue a BAA when using WhatsApp or WhatsApp for Business.

Below is a section from WhatsApp Business Terms of Service:

Compliance with Laws and Regulations. You may only use our Business Services if you have ensured that your use of our Business Services complies with all legal and regulatory requirements applicable to Company; it is your sole responsibility to determine your legal obligations. Our Business Services are not intended for intra-company usage. We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities. Company must provide all necessary data disclosures and notices (such as maintaining a privacy policy or labelling marketing messages).

Bottom line: WhatsApp does not guarantee that its software meets the regulatory requirements for HIPAA compliance.

Beyond the required safeguards, policies, and procedures, WhatsApp does not have the necessary auditing capabilities required for HIPAA compliance. A comprehensive audit trail that tracks and records all user activities related to PHI within the app is needed. For example, auditing when and who creates, modifies, views, and deletes messages. In addition, they would have to store these audit logs for at least 6 years.

As a business associate, Meta would also need to:

  • Have documented incident and response protocols in the event of a security breach.
  • Perform regular audits to review access and activity logs to comply with HIPAA regulations.

It is difficult to speculate why WhatsApp does not offer a HIPAA-compliant tier. If you want to be HIPAA-compliant, you cannot use WhatsApp for telehealth calls, phone calls, or sending text messages that contain PHI.

Other Drawbacks Beyond HIPAA Compliance

Beyond compliance issues, other challenges make client management more difficult. For example:

  • There is no great way to schedule messages - With WhatsApp, you can schedule messages if you download another app like SKEDit. Unfortunately, there’s no built-in way to schedule messages through WhatsApp.
  • No message templates - Unless you pay for WhatsApp for Business, you can’t create templates to define repetitive texts for your clients.
  • Hard to follow-up on conversations - Like text messages or other platforms, they don’t have features to make it easy for you as a professional to follow up with an action based on a conversation. In other words, there are no “todo” lists. Health providers usually have to rely on other features like “marking messages as unread” to remind themselves to take action.
  • Notifications at all times - Just like other messaging apps built for social interactions, the notifications never stop. Unless you have a built-in feature in your phone to go on “do not disturb,” it’s hard for you as a health provider to “unplug” and stop receiving notifications. Wouldn’t it be great to define “working hours” so that you only get notified with non-urgent questions when you want to?

We're building a better way.

HIPAA-compliant means meeting all HIPAA Security and Privacy Rule requirements. At Hello Midwife, we're building a HIPAA-compliant messaging app that can help you lessen stress and take off some of the mental load you might have. Midwifery is full of burnout, and we want a difference for the people who give so much of themselves.

We hope you found this article helpful, even if you're not a midwife.

If you're interested in Hello Midwife, click here to start your free trial!