Is WhatsApp®HIPAA-Compliant Telemedicine Software?

Published on March 28, 2023. Updated on September 4, 2024

Is WhatsApp® HIPAA compliant? The short answer is no—if you’re a healthcare organization or professional relying on the popular messenger platform for telehealth or patient communication, it’s time to switch to fully HIPAA-compliant telemedicine software. Failure to do so before the end of 2024, when the temporary relaxation of HIPAA rules surrounding telehealth platforms for healthcare will be unwound, could result in severe penalties¹.

Jump To:

• Why Isn’t WhatsApp HIPAA compliant?
• How Do I Make HIPAA-Compliant Video Calls?
• Get A Secure, Fully HIPAA-Compliant Telemedicine Solution

Why Isn’t WhatsApp HIPAA Compliant?

For a communications platform to be considered a HIPAA-compliant telemedicine platform, it must fulfill the following requirements:

• Employ end-to-end encryption
• Implement access control
• Enable audit controls 
• Sign a business associate agreement (BAA)

While WhatsApp provides end-to-end encryption, that does not mean it is HIPAA compliant. Other facets of HIPAA must be satisfied before the software can be deemed compliant.

1. Access control: Since WhatsApp does not require users to enter a password for every session, it does not provide the required access controls.
2. Audits: Because messages and attachments are easily deleted from WhatsApp, audits, which are necessary for HIPAA compliance, cannot be conducted.
3. Security: WhatsApp cannot ensure that all communications containing ePHI (electronic personal health information) are completely deleted remotely once an employee leaves the employment of a covered entity.
4. BAA: WhatsApp has not agreed to sign a BAA with a covered entity.

WhatsApp is NOT a HIPAA-compliant telemedicine software and should not be used to share ePHI or deliver online healthcare since doing so would violate HIPAA regulations. If you are at all subject to HIPAA compliance, WhatsApp is an unacceptable risk. However, healthcare professionals may use WhatsApp for general communication or for providing de-identified PHI.

Explore: HIPAA Compliance And Telehealth

• Is Microsoft Teams® HIPAA Compliant?
• Is Apple FaceTime® HIPAA Compliant?
• Is Skype™ HIPAA Compliant?
• Is Facebook Messenger™ HIPAA Compliant? 
• Is Zoom® HIPAA Compliant? 

How Do I Make HIPAA-Compliant Video Calls?

For healthcare professionals who want to utilize a HIPAA-compliant video communication tool, some companies have already stated that they will enter into a HIPAA business associate agreement and follow HIPAA compliance regulations. The Office for Civil Rights (OCR)² has provided a list of HIPAA-compliant telemedicine software, which includes:

• Updox®
• VSee™
• Doxy.me®
• Zoom for Healthcare®
• Cisco® Webex Meetings / Webex Teams
• Amazon Chime™
• GoToMeeting™
• Spruce Health Care Messenger™

In order to implement HIPAA-compliant telemedicine software, patients must also complete the necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms include:

• Terms of Use
• Communications Consent
• Privacy Policy
• Telehealth Consent

Get A Secure Fully HIPAA-Compliant Telemedicine Solution

BridgeInteract provides highly customizable, all-in-one patient engagement software that meets the most complex needs of high-volume, multi-specialty healthcare organizations, including HIPAA-compliant messaging and live chat.

While the popularity of WhatsApp can make it a tempting platform for patient communication, it should be avoided due to the risk of HIPAA violation. As a safe alternative, Bridge offers a HIPAA-compliant telehealth solution that seamlessly integrates with your existing EHR system. Its stand-out feature is a suite of patient engagement functionality outside telehealth that automates the online care journey for a better patient experience and more efficient workflows.

The BridgeInteract platform leverages the strictest security standards and can be customized to fit your organization’s needs. It is SOC 2 certified, highlighting its commitment to the highest enterprise-level data security standards. To ensure the security of patient information and protect client data, the platform employs robust encryption, advanced firewalls, and HIPAA-compliant cloud services.

In addition, BridgeInteract is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services.* To know more about the certified module, please check https://www.bridgeinteract.io/certifications/. 

Unlike other messenger services like WhatsApp, BridgeInteract is built with HIPAA compliance in mind from the ground up. Contact us to discuss how our telehealth platform can help you excel at patient engagement without any risk of breaking HIPAA. 

DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated to, endorsed by, or sponsored in any way by the service providers mentioned in this article.

*This certification does not represent an endorsement by the US Department of Health and Human Services.

---

Sources:

1. US Congress. Consolidated Appropriations Act. (2023). [online] Available at: Link. Accessed August 21, 2024. ↩︎
2. Office for Civil Rights (OCR). (2020). Notification of Enforcement Discretion for telehealth. [online] HHS.gov. Available at: Link. Accessed August 21, 2024. ↩︎