Vital Stats
Relevant Product Characteristics
- This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.
What Is This Product?
Signal is a free and open source texting app that works on iPhones and Android phones, and is highly private. It is intended to be private enough to prevent anyone but the people involved in a conversation from being able to read any messages in that conversation.
We made this review public because Signal is a service to the public. Although it is created by a company, Open Whisper Systems, the purpose of Signal is to be of public value. It is funded by numerous private and non-profit donors, and it is endorsed by security luminaries such as Edward Snowden and Bruce Schneier.
This is all great, and we strongly endorse the use of Signal. That’s not just because it’s secure, but also because it’s easy to use and is likely to be a very effective “gateway” for therapists and clients to start taking secure communications more seriously. Once again, we strongly encourage therapists to consider the costs and benefits of using Signal in their practices if for no other reason than the fact that it is likely to be a convincing way to get clients to use a truly secure option when they text with their therapist.
That said, Signal is easy to use for secure communications. However, its highly private nature makes it harder to document the messages you exchange using it. Please read the notes below quite carefully, and ensure you have a set of procedures in place for using Signal properly before you introduce it into your practice. Consider that if maintaining the procedures you need to use Signal and be HIPAA compliant are outside your capabilities, there are paid options out there for secure texting that provide more support for your HIPAA-and-ethics-related documentation needs. See our article on documenting texts and emails for some guidance.
Wait. They don’t do a Business Associate Agreement.
Our careful analysis of the way Signal handles PHI leads us to believe that they qualify as a conduit under the HIPAA Business Associate Rule. Very few software packages can claim that distinction, but Signal is one of them according to all information available to us. So the BAA, in Signal’s case, appears unnecessary.
Note that what makes Signal a conduit also gives it the harder-to-implement Notes that we’ve written below. There’s a definite trade-off when a software package acts like a conduit under the Business Associate Rule.
Caveats
Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.
1) Signal allows texters to make messages self-destruct, as of an update in October of 2016
At the time of our original analysis of Signal, the app did not support self-destructing messages. This is important because you need to retain messages for your records.
After the update, Signal users can flip a switch that turns on “disappearing messages” in certain specific conversations. We would love if Signal would change the feature so that one can block its use. Even better would be getting rid of the feature altogether. In the mean time, you’ll need to ask clients not to use it. For this reason, your risk analysis regarding Signal may need to take into account whether or not clients will cooperate with your request on this point.
See our article on documenting texts and emails for some guidance.
Notes
Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.
1) You need to make a process for documenting the messages you send and receive in a timely fashion
Signal messages exist only on your phone! They are not kept elsewhere and no one else can see them (except for your client’s copies of the messages, of course.) Therefore, you need a procedure that you are comfortable following routinely for getting the messages out of Signal and into the client’s record.
See our article on documenting texts and emails for some guidance.
Signal has a special plug-in for the Chrome web browser that can help get the messages from your phone onto your computer. We will review that Chrome plug-in in a future review. It is likely a good option for making it easy to get your Signal messages into an electronic record system. You may need a tech-savvy person to help you install it and learn to use it.
2) Be aware that Signal prevents your messages from being backed up when you back up your phone.
Even if you are using secure and HIPAA-propriate methods to synchronize your phone’s data to a backup, Signal generally won’t allow its messages to be included in that backup. This is simply all the more reason to come up with a comfortable way to document your Signal messages on a regular and timely basis.
3) You must secure access to your phone in order to secure access to your Signal messages
If someone can get into your phone, they can read the messages in your Signal app. So you need to secure access to your phone and treat the phone as a device that manages PHI. Honestly, you would need to do that anyways. This is especially true because Signal needs you to keep your clients’ phone numbers in your phone’s contact book.
4) Be ready to do what you need to safely keep client contacts in your phone’s contact book
Signal needs you to keep client phone numbers in your phone’s contact book. So to use Signal securely, you’ll need to set up your security plans such that you can keep client contact info in the phone’s contact book securely. The full scope of that discussion is beyond this note. However, the following two measures are, at the very least, necessary:
- Use obscured identifiers for clients instead of their full names. E.g. use initials. Please do not take this comment to mean, however, that simply using client initials is sufficient for security. It simply helps prevent confidentiality breaches if nearby people glance at your phone screen at the wrong moment.
- Do not synchronize your contact book to your other devices, unless you’ve already developed a secure and HIPAA-propriate way to do that.
- Do not allow other apps on your phone to access your contact book.
5) Change your notification settings so that it doesn’t display the names of people sending you messages
When you get a new Signal message, you want your phone to pop up a little notice that you have a new message. But it would be best if that notice just said, “New message!” instead of, “New message from so-and-so!” You especially don’t want your phone to display the contents of the new message in that notice!
So, in your Signal notification settings, you can set it to show “No name or message” when the new message notification pops up. Please do so.
6) Do not turn on “disappearing messages.” Also, urge clients up-front to not do so, as well.
See Caveat #1 for details on why.
7) Signal may not be a good tool for group texting with clients
Be aware that Signal’s security depends, in part, on all participants in a message exchange using good smartphone security practices. When you are texting with a single client, they can take responsibility for their own phone security. When texting with a group, however, poor security practices on the part of one member of the group can cause privacy problems for everyone.
This is true of any texting service no matter how it keeps messages secure, of course.
8) We are not necessarily endorsing the use of Signal for phone or video service
Signal also offers phone and video services. It is possible that these may be appropriate for clinicians to use, but we have not had an opportunity to fully investigate them. This review is intended to cover Signal as a secure texting service.