Communication BAA Guide

Is WhatsApp HIPAA compliant?

WhatsApp is a widely-used messaging application that allows users to send text messages, voice messages, make voice and video calls, and share images, documents, user locations, and other media. Known for its end-to-end encryption, it assures that only you and the person you're communicating with can read what is sent. WhatsApp is available on a variety of platforms including iOS, Android, and desktop, facilitating easy and secure communication across devices.

WhatsApp in healthcare

In a healthcare context, WhatsApp is commonly used for informal communication among staff due to its ubiquity and ease of use. Teams use it for quick coordination, shift scheduling, and group messaging. However, its use in clinical or patient-facing contexts raises significant HIPAA concerns that organizations need to understand before relying on it.

WhatsApp and HIPAA compliance

WhatsApp is not HIPAA compliant. Meta (WhatsApp's parent company) does not sign a Business Associate Agreement (BAA) for WhatsApp. Without a BAA, WhatsApp cannot be used to send, receive, or store protected health information (PHI) — period. This applies to all versions of WhatsApp, including WhatsApp Business.

Even though WhatsApp uses end-to-end encryption (E2EE) for messages in transit, encryption alone does not satisfy HIPAA's requirements. Several additional issues compound the compliance risk:

  • Cloud backups are not E2EE by default. If users back up WhatsApp messages to Google Drive or iCloud, those backups may not be end-to-end encrypted, exposing PHI to the cloud storage provider — another unauthorized disclosure.
  • No audit trail. HIPAA's Security Rule requires that access to PHI be logged and auditable. WhatsApp provides no audit logging capability.
  • No access controls. WhatsApp does not support the role-based access controls or workforce management features required for HIPAA compliance.
  • Data retention is uncontrolled. Messages persist on personal devices with no organizational control over retention, deletion, or device management.

What healthcare providers can use WhatsApp for

WhatsApp may be used for internal staff communication that contains no PHI — general logistics, non-patient topics, and team coordination that does not reference any patient's health information.

WhatsApp should not be used for:

  • Any communication referencing a patient by name alongside health information
  • Sharing test results, images, diagnoses, or treatment information
  • Patient-facing communication involving appointment details linked to health status or conditions

Frequently asked questions

Is WhatsApp HIPAA compliant? No. WhatsApp is not HIPAA compliant. Meta does not sign a Business Associate Agreement (BAA) for WhatsApp, including WhatsApp Business. Without a BAA, using WhatsApp for PHI is a HIPAA violation.

Is WhatsApp Business HIPAA compliant? No. WhatsApp Business is also not HIPAA compliant. Meta does not offer a BAA for WhatsApp Business, so neither the consumer nor the business version of the app can be used for PHI.

Can healthcare providers use WhatsApp for patient communication? No. Healthcare providers should not use WhatsApp for any patient communication that involves PHI. This includes appointment reminders tied to a diagnosis, test results, care instructions, or any message that could identify a patient alongside their health information.

What messaging apps are HIPAA compliant? HIPAA-compliant messaging platforms that will sign a BAA include TigerConnect, Klara, Spruce Health, Microsoft Teams (with healthcare BAA), and Google Chat (via Google Workspace BAA). These platforms are purpose-built for or configurable to meet healthcare messaging requirements.

Staying HIPAA Compliant

Take a look at our ultimate guide to HIPAA compliant software and services for help selecting compliant service providers. Though careful vendor evaluation and selection is only one piece of the puzzle for maintaining HIPAA compliance. At TeachMeHIPAA, we offer an affordable HIPAA training solution to ensure your staff are knowledgeable in how to comply, and to help you meet your legally mandated HIPAA training requirement with ease. Learn more about our tips and tricks for maintaining compliance with our HIPAA compliance blog.