By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
A recent article on Forbes, “Why WhatsApp Could be a Game-Changer for American Health Care” caught my eye and attention. The article focuses on a commonly reported desire among professionals in the healthcare industry to have and use text messaging. Texting is used in everyday life, so why not in healthcare. The quick, but incomplete answer is HIPAA. HIPAA is used as an excuse or barrier for many proposals in healthcare, but it does not tell the entire story.
The Forbes article chooses to focus on WhatsApp because WhatsApp includes end-to-end encryption. It is argued that this form of encryption addresses privacy and security concerns in healthcare by helping to lock down the messages being transmitted, including the information contained in the message. Encryption is only a piece of ensuring that communications comply with applicable HIPAA requirements. As the article rightly points out, issues of recipient verification and maintenance of information present challenges under HIPAA. These are definitely relevant and valid concerns.
While WhatsApp and its end-to-end encryption may be appealing to healthcare, the application practically is not ready to be used in healthcare. Even though WhatsApp may claim it does not access messages or information sent through its network, the question of whether WhatsApp stores the data remains. If WhatsApp stores data, then it is not a conduit and any covered entity utilizing the service would need a business associate agreement with WhatsApp. Additionally, if data is stored on WhatsApp servers, it would be necessary to gain insight into the measures ensuring the privacy and security of information stored on those servers.
Another issue related to WhatsApp is the lack of enterprise level account creation capabilities and just the overall lack of enterprise level options. As currently constituted, WhatsApp is designed for individual use. Companies cannot gain control over accounts created by employees or otherwise create a corporate account that employees can work under. As recently as May, I directly asked individuals at WhatsApp whether the application would be expanded to commercial use and in particular for the healthcare industry. At that time, WhatsApp indicated that it was in the very early stages of incorporating or developing a commercial based product/option, but had not progressed very far or given special consideration to usage in the healthcare industry. The absence of consideration by WhatsApp itself further demonstrates that it is not ready for real use in healthcare this time.
Another recent announcement by WhatsApp should further dampen any potential usage in healthcare. In a shift from previous stances of zealously protecting privacy, WhatsApp announced that it will begin sharing some information about users withs its parent, Facebook. While users can opt-out of some amount of the data sharing, the mere fact that data will move outside of WhatsApp to another entity should cause pause for any healthcare provider that would consider using WhatsApp. Even if WhatsApp asserts that only some basic metrics will be shared, this suggests that information is being accessed and policies could continue to shift in the future.
The face value promise of WhatsApp and the speed with which publications or others seem to have jumped on potential uses underscores why healthcare needs to develop a solution that allows everyday functionality to come in. While easing communication and incorporating basic technology is a recognized and desired goal, healthcare and HIPAA present challenges. These challenges are not insurmountable, but demonstrate why healthcare specific solutions often need to be created. A quick look around the internet can find some healthcare specific messaging applications and the solutions continue to be refined so they more closely mirror applications such as WhatsApp or iMessage. However, the applications likely will need to be healthcare specific, at least at this point, to help ensure that individuals and entities within the healthcare industry can satisfy applicable regulatory requirements.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.