Is WhatsApp HIPAA compliant? (2022 update)

Can I use WhatsApp and be HIPAA compliant? (2022 update) | Paubox

Last updated: 28 December 2022

We’ve been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

When we first wrote this post in 2017, we concluded WhatsApp was not a HIPAA compliant service. With the onset of COVID-19, a lot has changed since then. As such, today we’ll revisit the topic: can WhatsApp be considered a HIPAA compliant telehealth service?

About WhatsApp

WhatsApp is a cross-platform messaging and voice over IP (VoIP) service owned by Facebook, Inc. It allows users to send text messages, voice calls, and video calls, as well as share images, documents, and other media.

WhatsApp was created in 2009 and is available on various mobile and desktop platforms, including Android, iOS, Windows, and MacOS. It’s a popular messaging app that is used by people all over the world to communicate with each other.

WhatsApp is known for its end-to-end encryption, which ensures that the messages and calls that are made through the app are secure and cannot be intercepted by third parties.

Facebook acquired WhatsApp in 2014 for $19.3 billion.

WhatsApp and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

Since WhatsApp is now part of Facebook, we checked the websites of both Facebook and WhatApp for mentions of their capabilities on HIPAA compliance for WhatsApp.

For our Facebook search, we keyed in on their:

As was the case in 2017 when we first covered this topic, we again could not find any mention of HIPAA or business associate agreement in any of these resources.

Next, we did the same search on WhatsApp. Their legal docs were bundled into a single page:

When we explored the WhatsApp Business Terms of Service page, we found:

“We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”

We can therefore see that WhatsApp and its parent company Facebook still do not offer a BAA in 2022.

Notification of Enforcement Discretion

When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

  • Amazon Chime
  • Apple FaceTime
  • Doxy.me
  • Facebook Messenger
  • Google Hangouts video
  • Jabber
  • Signal
  • Skype
  • Spruce Health Care Messenger
  • Updox
  • VSee
  • WhatsApp
  • Zoom

See also: HIPAA privacy and security guidelines as they relate to telehealth

Does WhatsApp offer HIPAA compliant telehealth service?

The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.

As we noted earlier, both WhatsApp and its parent company Facebook still do not offer a BAA for WhatsApp.

It should be noted however, WhatsApp is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it currently allows healthcare entities to use WhatsApp and not be liable for HIPAA fines.

Conclusion: Until the Notification of Enforcement Discretion is terminated, WhatsApp can be used in a non-public facing manner by U.S. healthcare organizations, without risk of HIPAA fines.

See related: OCR issues notification of enforcement discretion for business associates in response to COVID-19 pandemic

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader