Is Facebook Messenger™ HIPAA-Compliant?

Updated on September 9, 2024.

Messenger™, also known as Facebook Messenger™, is an instant messaging app developed in 2011 and available on desktop or mobile devices. Because it is free, popular, and offers video calling for up to 50 people via its Messenger Rooms™ feature, healthcare organizations looking for affordable telehealth delivery methods might consider using Messenger. But is Facebook Messenger HIPAA compliant? Unfortunately, the answer is no. Any HIPAA-compliant chat app must meet certain criteria, and Messenger falls short on several counts. Although free HIPAA-compliant instant messaging might be too good to be true, there are better alternatives to using Facebook Messenger.

Jump to:

Why Isn’t Facebook Messenger HIPAA Compliant?

It’s easy to see why healthcare organizations might be tempted to use Messenger for telehealth. Messenger has widespread adoption in the US, with around 194 million users on the app1. Providers might see Messenger as an easy and familiar solution to reach patients rather than introducing an entirely new platform. Sadly, Facebook Messenger just isn’t HIPAA-compliant.

For Facebook Messenger to be considered a HIPAA-compliant telemedicine platform, it must fulfill all of the following requirements:

  • Employ end-to-end encryption
  • Implement access control
  • Enable audit controls
  • Sign a business associate agreement (BAA)

Explore: HIPAA Compliance And Telemedicine:

What Does Facebook Messenger Need To Be A HIPAA-Compliant Video Chat Solution?

Below we assess whether Facebook Messenger meets the security and regulatory requirements to be considered HIPAA compliant.

Is Facebook Messenger™ a HIPAA Compliant Telemedicine Platform?

End-To-End Encryption

Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so protected health information (PHI) is not vulnerable to interception by third parties. Facebook Messenger does include an option to encrypt data, but users must opt-in to this feature.

Business Associate Agreement (BAA)

Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA, so it is not a HIPAA-compliant telemedicine platform.

Audit Controls

HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, so maintaining an audit trail on Facebook Messenger would be difficult. Due to a lack of audit controls, Facebook Messenger is not a HIPAA-compliant video chat solution.

Access Control

Facebook Messenger users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device that contains the Messenger app is stolen, an unauthorized person can access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger is not a HIPAA-compliant telemedicine platform.

Digital Front Door

What’s The Verdict?

Facebook Messenger fails to meet all four HIPAA requirements and is not considered a HIPAA-compliant telemedicine platform.

In order to implement a HIPAA-compliant telehealth solution, patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portals and telehealth platforms include:

Get A Fully HIPAA-Compliant Telehealth Platform With BridgeInteract

Healthcare organizations should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.

HIPAA regulations covering telecommunications services were temporarily relaxed in 2020, allowing healthcare providers to use non-HIPAA-compliant platforms like Facebook Messenger for telecommunications. However, this leniency only extends to the end of 2024, so any organization using Messenger for patient communication should switch to a HIPAA-compliant software solution as soon as possible2.

Bridge offers a fully HIPAA-compliant telehealth solution as part of BridgeInteract, a modular, comprehensive patient engagement platform with robust communication tools designed with healthcare and compliance in mind, including a client-branded mobile app, live chat, biometric logins, proxy access, and more.

BridgeInteract integrates messaging, file-sharing, and video chat across multiple devices and includes features like patient education, self-scheduling, and appointment reminders.

In addition, BridgeInteract is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services.* To know more about the certified module, please check https://www.bridgeinteract.io/certifications/

Contact us to learn how we can help you manage your telehealth with a comprehensive patient engagement solution fully compliant with HIPAA and the latest enterprise-grade cybersecurity standards.

Explore: HIPAA Compliance And Telemedicine:

DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge is not affiliated, endorsed, or sponsored in any way by the service providers mentioned in this article.

*This certification does not represent an endorsement by the US Department of Health and Human Services.


Sources:

  1. Statista. (2024). Share of Facebook Messenger users in the United States as of July 2024, by age group. [online] Available at: Link. Accessed August 21, 2024. ↩︎
  2. US Congress. (2023). Consolidated Appropriations Act. [online] Available at: Link. Accessed August 21, 2024. ↩︎
John Deutsch
John Deutsch

Chief Executive Officer (CEO) John is a seasoned executive with 20+ years of healthcare IT business ownership experience specializing in patient engagement, marketing, and software/web development. He was the co-founder of EMR Experts, an EHR consulting firm, which was sold to Bizmatics Inc in 2008. John then founded Medical Web Experts, a leader in custom HIPAA-compliant software/web development and marketing for the healthcare industry. Bridge Patient Portal, an all-in-one patient engagement solution, was spun off from Medical Web Experts in 2014. John split his time as CEO between both Medical Web Experts and Bridge Patient Portal until late 2019, at which point he stepped down as CEO at Medical Web Experts to focus solely on Bridge Patient Portal. Besides his extensive experience in business and workforce management, he also maintains strong technical knowledge in information systems, IT security, compliance, and healthcare.