Signal is a popular encrypted messaging app that is often thought to be HIPAA compliant. However, there are some important considerations that healthcare organizations need to be aware of before using Signal to communicate protected health information (PHI).
HIPAA Compliance Requirements
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 by President Bill Clinton; it sets standards for the privacy and security of health information. For a messaging app to be HIPAA compliant, it must meet certain technical and administrative requirements.
The technical requirements for HIPAA compliance include:
- Using encryption to protect PHI from unauthorized access, use, or disclosure.
- Implementing strong access controls to limit who can access PHI.
- Maintaining a secure backup system for PHI.
The administrative requirements for HIPAA compliance include:
- Training employees on how to protect PHI.
- Conducting regular risk assessments to identify and address security vulnerabilities.
Signal’s Compliance Status
Signal meets many of the technical requirements for HIPAA compliance, such as its use of end-to-end encryption, though as a peer-based system, it does not store PHI in a central and secure way over time. Further, it does not meet all of the administrative requirements, such as having a BAA in place with all of its users.
Is Signal HIPAA Compliant for Healthcare?
Whether or not Signal is HIPAA compliant for healthcare depends on how it is used. If Signal is only used to send messages that do not contain PHI, then it is likely compliant. However, if Signal is used to send PHI, then additional steps must be taken to protect the information.
Penalties for Violating HIPAA
- Unauthorized access to protected health information (PHI). This could result in a civil penalty of $100 to $50,000 per violation, or up to $1.5 million per year for any person or organization.
- Improper disclosure of PHI. This could result in a civil penalty of $100 to $50,000 per violation, or up to $1.5 million per year for any person or organization.
- Failure to implement and maintain appropriate security measures to protect PHI. This could result in a civil penalty of $100 to $50,000 per violation, or up to $1.5 million per year for any person or organization.
- Willful neglect to safeguard PHI. This could result in a criminal penalty of up to $250,000 and imprisonment for up to 10 years.
How Organizations Can Use Signal In HIPAA Compliant Ways for Healthcare
There are a few things that healthcare organizations can do to make Signal HIPAA compliant for their use:
- Only use Signal for messages that do not contain PHI.
- Encrypt any PHI that is sent through Signal using a third-party tool.
- Keep a record of all Signal messages that contain PHI.
- Train employees on how to use Signal securely.
By following these guidelines, healthcare organizations can use Signal in a way that is compliant with HIPAA and avoid any possible penalties.
How To Report HIPAA Violations
The United States Office of Civil Rights handles all HIPAA violation complaints. Complaints may be filed on their website.