Few people would dispute the convenience of a patient and doctor exchanging medical notes on WhatsApp. It accelerates workflows, which can improve outcomes in turn. It might occasionally even mean that in an emergency a patient gets the requisite advice, which might just save a life; or at least prevent the patient from developing severe complications. (See our previous blog: Use WhatsApp with Care, Especially for Business.) However, when such consultation entails an exchange of PHI, doctors need to be wary.
What is PHI?
PHI means protected health information; i.e., individually identifiable health information of patients is protected by the Security Rule of the Health Information Portability and Accountability Act (HIPAA). All covered entities (CEs) are expected to ensure the confidentiality, integrity, and availability of all PHI. PHI could be in the form of paper records, electronic health records (EHR), lab reports, and even pharmacy receipts since they will record such details as name, gender, age, geographic location, Social Security number, credit card details, and details of the patient’s ailment.
Potential HIPAA Violations When Sharing PHI on WhatsApp
WhatsApp (WA) is not designed for sharing PHI. It is meant to be a messaging app to build social connections between two or more people. As a social media platform, obviously, privacy and confidentiality is not its core strength. While it claims end-to-end encryption, remember the backups of WA messages are not encrypted. Further, all WA messages are stored on WhatsApp servers, which are not designed to comply with Security Rule requirements. Guidance issued by the Department for Health and Human Services (HHS) clarified that WhatsApp cannot absolve itself of its responsibility as a conduit of sensitive information.It pointed out that encryption per se cannot prevent a breach. Therefore, WA can be used to set up doctor appointments, reminders, and share scientific information with colleagues, i.e., any communication that does not contain PHI as WhatsApp is not HIPAA compliant.
What It Means for You
This means that when PHI is shared on WA, it could be accessed and viewed by unauthorized persons ― a major HIPAA violation. This might also occur if someone forwards a message containing PHI or takes a screenshot. Under §164.522(b) of the Security Rule, individuals are granted the right to request covered entities restrictions on other uses and disclosures of PHI, such as disclosures made to family members, or persons involved in the individual’s care. However, in many instances, WhatsApp messages can be accessed by family members or even friends. This automatically puts the security and privacy of PHI in jeopardy. Add to that the hazards involved in device security; i.e., when a mobile phone is lost or stolen. It creates a situation where just about anybody can access sensitive information. Even locking a device with biometric data does not always help as everyone usually has an alphanumerical code to unlock their device.
WA Terms of Business Prevent Carrying Out BAA
Few people read the fine print, or even the Terms of Business (ToB) of any app or any software they download. If you read WhatsApp’s Terms of Business, you will realize that they have provided a disclaimer stating that since it is a simple messaging app, it is not an appropriate medium for use by “entities regulated by laws […] with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities”. This in itself is sufficient to preclude any covered entity from carrying out an enforceable Business Associate Agreement (BAA). Under HIPAA Security Rule’s administrative safeguards, clause §164.306: (1)(i) Standard: Security management process; not just CEs, but their business associates (BAs) also are under an obligation to ensure that they “implement policies and procedures to prevent, detect, contain, and correct security violations”.
What You Can Do to Demonstrate Due Diligence
Under almost all circumstances it would be inadvisable to share PHI on WhatsApp, except where it is a life-threatening situation. Ideally, the message containing the data should be deleted for all immediately after it has been used to prescribe relief measures, and/or advice for admission in a facility. Further, if the patient requests the PHI be shared on WhatsApp, doing so will not be a HIPAA violation as the patient is not a covered entity, but merely exercising their right to request such information via a channel of information of their choice. However, you should warn the patient of the potential security and privacy risks attached to sharing PHI on WhatsApp. Ensure that you request the patient to put their behest for sharing PHI on WA in writing, and put the warning about potential risks in writing. If you are able to get a written acknowledgement of having received such a warning; it puts you in a safer position. This action will protect you from civil penalties after an audit.
Lack of data breach notification:
Most importantly, the vulnerability of WhatsApp which no one talks about is that it would be difficult to identify it if a data breach occurs. Probably the earliest a patient might realize such a situation is when there is identity theft, a prescription is filled by a wrong person, or there is a denial of service because someone has used up their insurance cover. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 requires not just CEs, but their business associates too to notify affected individuals in case of a data breach, i.e., impermissible use or disclosure of PHI.
Conclusion
While WhatsApp is a convenient platform for exchanging information; it is desirable that all covered entities use some other platform that is HIPAA compliant to ensure that there are no violations if PHI needs to be shared. The only time the HHS Office of Civil Rights (OCR) will be relatively lenient about sharing of PHI on WhatsApp is when a life threatening situation crops up, or during a public health emergency like the recent one.
If still in doubt or Need Guidance or Immediate Assistance?
Why don’t you contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)
Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com.
We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.
