Is Signal HIPAA compliant? (2022 update)

Last updated: 28 December 2022

We’ve been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

Today we will determine if Signal is a HIPAA compliant telehealth service or not.

About Signal

Signal is a cross-platform encrypted messaging and voice over IP (VoIP) service. It is a messaging app that allows users to send text messages, make voice and video calls, and share images, documents, and other media, similar to WhatsApp. However, Signal is known for its strong emphasis on privacy and security.

Signal uses end-to-end encryption for all messages and calls, which means that the messages and calls made through the app cannot be intercepted by third parties. Signal is also open source, which means that its code is publicly available and can be independently audited by security experts to ensure that it is secure.

Signal is available on various mobile and desktop platforms, including Android, iOS, Windows, and MacOS.

SEE ALSO: Texting tools and HIPAA compliance: The ultimate guide

Signal and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We checked the Signal site and did not find any mention of their ability to sign a BAA with customers. For example, the Signal Terms & Privacy Policy page did not mention the words HIPAA, health, or business associate agreement.

Notification of Enforcement Discretion

When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

• Amazon Chime
• Apple FaceTime
• Doxy.me
• Facebook Messenger video chat
• Google Hangouts video
• Jabber
• Signal
• Skype
• Spruce Health Care Messenger
• Updox
• VSee
• WhatsApp
• Zoom

See also: HIPAA privacy and security guidelines as they relate to telehealth

Does Signal offer HIPAA compliant telehealth service?

The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.

As we noted earlier, Signal does not offer a BAA.

It should be noted however, Signal is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it currently allows healthcare entities to use Signal and not be liable for HIPAA fines.

Conclusion: Until the Notification of Enforcement Discretion is terminated, Signal can be used in a non-public facing manner by U.S. healthcare organizations, without risk of HIPAA fines.

See related: OCR issues notification of enforcement discretion for business associates in response to COVID-19 pandemic