Is Facebook Messenger™ HIPAA-Compliant?
- John Deutsch
- November 13, 2020
Updated on September 9, 2024.
Messenger™, also known as Facebook Messenger™, is an instant messaging app developed in 2011 and available on desktop or mobile devices. Because it is free, popular, and offers video calling for up to 50 people via its Messenger Rooms™ feature, healthcare organizations looking for affordable telehealth delivery methods might consider using Messenger. But is Facebook Messenger HIPAA compliant? Unfortunately, the answer is no. Any HIPAA-compliant chat app must meet certain criteria, and Messenger falls short on several counts. Although free HIPAA-compliant instant messaging might be too good to be true, there are better alternatives to using Facebook Messenger.
Jump to:
- Why Isn’t Facebook Messenger HIPAA Compliant?
- What Does Facebook Messenger Need To Be A HIPAA-Compliant Video Chat Solution?
- Get A Fully HIPAA-Compliant Telehealth Platform
Why Isn’t Facebook Messenger HIPAA Compliant?
It’s easy to see why healthcare organizations might be tempted to use Messenger for telehealth. Messenger has widespread adoption in the US, with around 194 million users on the app1. Providers might see Messenger as an easy and familiar solution to reach patients rather than introducing an entirely new platform. Sadly, Facebook Messenger just isn’t HIPAA-compliant.
For Facebook Messenger to be considered a HIPAA-compliant telemedicine platform, it must fulfill all of the following requirements:
- Employ end-to-end encryption
- Implement access control
- Enable audit controls
- Sign a business associate agreement (BAA)
Explore: HIPAA Compliance And Telemedicine:
- Is Apple FaceTime® HIPAA Compliant?
- Is Skype™ HIPAA Compliant?
- Is WhatsApp® HIPAA Compliant?
- Is Zoom® a HIPAA-Compliant?
- Is Microsoft Teams® HIPAA Compliant?
What Does Facebook Messenger Need To Be A HIPAA-Compliant Video Chat Solution?
Below we assess whether Facebook Messenger meets the security and regulatory requirements to be considered HIPAA compliant.
End-To-End Encryption
Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so protected health information (PHI) is not vulnerable to interception by third parties. Facebook Messenger does include an option to encrypt data, but users must opt-in to this feature.
Business Associate Agreement (BAA)
Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA, so it is not a HIPAA-compliant telemedicine platform.
Audit Controls
HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, so maintaining an audit trail on Facebook Messenger would be difficult. Due to a lack of audit controls, Facebook Messenger is not a HIPAA-compliant video chat solution.
Access Control
Facebook Messenger users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device that contains the Messenger app is stolen, an unauthorized person can access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger is not a HIPAA-compliant telemedicine platform.
What’s The Verdict?
Facebook Messenger fails to meet all four HIPAA requirements and is not considered a HIPAA-compliant telemedicine platform.
In order to implement a HIPAA-compliant telehealth solution, patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portals and telehealth platforms include:
Get A Fully HIPAA-Compliant Telehealth Platform With BridgeInteract
Healthcare organizations should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.
HIPAA regulations covering telecommunications services were temporarily relaxed in 2020, allowing healthcare providers to use non-HIPAA-compliant platforms like Facebook Messenger for telecommunications. However, this leniency only extends to the end of 2024, so any organization using Messenger for patient communication should switch to a HIPAA-compliant software solution as soon as possible2.
Bridge offers a fully HIPAA-compliant telehealth solution as part of BridgeInteract, a modular, comprehensive patient engagement platform with robust communication tools designed with healthcare and compliance in mind, including a client-branded mobile app, live chat, biometric logins, proxy access, and more.
BridgeInteract integrates messaging, file-sharing, and video chat across multiple devices and includes features like patient education, self-scheduling, and appointment reminders.
In addition, BridgeInteract is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services.* To know more about the certified module, please check https://www.bridgeinteract.io/certifications/.
Contact us to learn how we can help you manage your telehealth with a comprehensive patient engagement solution fully compliant with HIPAA and the latest enterprise-grade cybersecurity standards.
Explore: HIPAA Compliance And Telemedicine:
- Is Apple FaceTime® HIPAA Compliant?
- Is Skype™ HIPAA Compliant?
- Is WhatsApp® HIPAA Compliant?
- Is Zoom® HIPAA Compliant?
- Is Microsoft Teams® HIPAA Compliant?
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge is not affiliated, endorsed, or sponsored in any way by the service providers mentioned in this article.
*This certification does not represent an endorsement by the US Department of Health and Human Services.
Sources:
- Statista. (2024). Share of Facebook Messenger users in the United States as of July 2024, by age group. [online] Available at: Link. Accessed August 21, 2024. ↩︎
- US Congress. (2023). Consolidated Appropriations Act. [online] Available at: Link. Accessed August 21, 2024. ↩︎