Is Facebook Messenger™ a HIPAA Compliant Telemedicine Platform?

Messenger™, also known as Facebook Messenger™, is a free instant messaging app developed in 2011 and available on desktop or mobile devices. Facebook Messenger™ allows users to send and exchange messages, photos, stickers, videos, audio, and files, in addition to supporting voice and video calls. In April of 2020 Messenger Rooms™ was launched, allowing users to video chat with up to 50 people without a time limit.

With an increased demand for telemedicine during the coronavirus pandemic, healthcare providers are seeking patient messaging solutions that are easy to integrate with their practice. Since Messenger™ has widespread adoption in the US, as one of that nation’s leading messaging platforms, many healthcare organizations are wondering if the platform can be used for telemedicine. Providers might see Messenger as an easy and familiar solution to reach patients, rather than introducing an entirely new platform. Providers can offer Messenger™ as a solution, which patients already use and are familiar with, instead of having them use a new platform.

While healthcare organizations are looking for quick and convenient turnkey solutions at this time, they should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.

For Facebook Messenger™ to be considered a HIPAA compliant telemedicine platform, it must fulfill all of the following requirements:

  • Employ end-to-end encryption
  • Implement access control
  • Enable audit controls
  • Sign a business associate agreement (BAA)

Is Facebook Messenger™ a HIPAA compliant video chat solution?

Below we assess whether Facebook Messenger™ meets the security and regulatory requirements to be considered HIPAA compliant.

Is Facebook Messenger™ a HIPAA Compliant Telemedicine Platform?
End-to-end encryption

Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so PHI is not vulnerable to interception by third parties. Facebook Messenger™ does include an option to encrypt data, but users must opt-in to this feature.

Access control

Facebook Messenger™ users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device is stolen that contains the Messenger™ app, an unauthorized person will be able to access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger™ is not a HIPAA compliant telemedicine platform.

Digital Front Door

Audit controls

HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger™ would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, therefore, it would be difficult to maintain an audit trail on Facebook Messenger™. Due to a lack of audit controls, Facebook Messenger™ is not a HIPAA compliant video chat solution.

Business associate agreement

Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA so is not a HIPAA compliant telemedicine platform.

What’s the verdict?

Facebook Messenger™ fails to meet all four HIPAA requirements and is not considered a HIPAA compliant telemedicine platform.

In order to implement a HIPAA compliant telemedicine platform patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms, include:

Discover whether the following popular video conferencing tools are HIPAA compliant.

The ubiquity of Messenger™ makes it a tempting solution for patient communication, but its non-compliance with HIPAA means that healthcare organizations should avoid its use. Bridge offers a fully HIPAA-compliant telehealth solution as part of a comprehensive patient engagement platform. The software not only integrates messaging, file-sharing, and video chat across multiple devices, but includes features like patient education, self-scheduling, and appointment reminders under the latest security protocols. Contact us to learn more about how Bridge can help you meet your telehealth needs.

John Deutsch
John Deutsch

Chief Executive Officer (CEO) John is a seasoned executive with 20+ years of healthcare IT business ownership experience specializing in patient engagement, marketing, and software/web development. He was the co-founder of EMR Experts, an EHR consulting firm, which was sold to Bizmatics Inc in 2008. John then founded Medical Web Experts, a leader in custom HIPAA-compliant software/web development and marketing for the healthcare industry. Bridge Patient Portal, an all-in-one patient engagement solution, was spun off from Medical Web Experts in 2014. John split his time as CEO between both Medical Web Experts and Bridge Patient Portal until late 2019, at which point he stepped down as CEO at Medical Web Experts to focus solely on Bridge Patient Portal. Besides his extensive experience in business and workforce management, he also maintains strong technical knowledge in information systems, IT security, compliance, and healthcare.