I’ll start off by answering this question with, “It’s the wrong question!” And I’ll continue by saying whether WhatsApp is HIPAA compliant is likely irrelevant to your patient.
What matters most to my patients is that I’m someone they can trust. Next, they want timely access. Next, they want good, compassionate care. Next, they want affordable care.
Very low on the list is whether some app or software meets some guideline that doesn’t directly benefit their health. And it’s hard to convince someone that some app they’ve never heard of that has terrible functionality is more secure than a multibillion-dollar app like WhatsApp.
Are You Allowed to Communicate over WhatsApp?
If the patient wants you to chat with them on the phone, on email, by letter, by text message, or by WhatsApp, as long as you’re comfortable doing so, you can.
I can’t force my patient to use Spruce and they can’t force me to use FB messenger. I’ve written about Spruce before here.
The point is that a healthy patient-doctor relationship is built by meeting each other halfway. Many of my patients are comfortable with Signal or WhatsApp.
But remember there are free HIPAA-compliant apps as well.
What if Their PHI Leaks?
So what happens if somehow their information gets stolen or leaks? Are you responsible?
Even if you use a HIPAA-compliant app and the data leaks you could be responsible. What matters is what steps you took and if someone wants to take you to court over the matter (including the State Medical Board.)
If you signed a patient agreement informing them that any communication outside of a HIPAA-compliant platform bears the risk of leaked PHI and they are okay with it, it’s unlikely that you will have any responsibility.
What Does Your Patient Want?
In any good medical practice, it’s good to have these discussions and give patients options. You can tell them that you always prefer a HIPAA-compliant platform like Spruce but it has limitations and that with many patients you use WhatsApp for audio, video, documents, texts, etc.
Sign the agreement and I suspect you won’t have any issues with WhatsApp if you take the same steps you would with any other app.
What Makes an App HIPAA-Compliant?
This is a major healthcare consulting topic for many. Not something I’m interested in but something I get asked about a lot.
1. Encryption
The information should be encrypted so that only the 2 parties in that conversation can access the info.
2. Access Control
The app should limit who can access it and allow for strong passwords and 2FA.
3. Audit Trails
If the Protected Health Information is leaked it can be detected using forensics. It should allow us to know who accessed what when and from where.
4. Data Storage
If any information is stored it should be stored safely using encryption.
5. Data Transmission
HTTPS protocols and other methods of securing data packets when they are transmitted between the doctor and patient are necessary.
6. BAAs
All platforms are provided by a third party vendor who should be willing to sign a Business Associate Agreement which binds them to the HIPAA rules.
7. Secure Authentication
2FA or MFA (multi-factor authentication) is important to allow extra levels of security.
8. Secure Logout
Logging someone out after inactivity or a suspected breach is an important part of a HIPAA-compliant app or platform.
9. Data Backups
Whether multiple servers are used for redundancy or data is backed up regularly, this is important to prevent data loss.
10. Training
The part we hate most as physicians, having to take the same training every year to the point of throwing up. It’s on the organization using the app to have their users regularly take such training.
11. Remote Data Wipe
Any device or app should have a remote data wipe option available in case of theft or if the device is lost.
12. User Consent
There are forms that need to be signed between the patient and doctor so that we can inform them how their data which is transmitted in the app is stored and used.
13. Data Deletion
When the patient requests it it’s important to give them all of their data or delete it fully.