Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: No.
Recommend for your HIPAA risk management needs?: No.

What Is This Product?

WhatsApp Messenger is a freeware and cross-platform instant messaging and VoIP service. The application allows the sending of text messages and voice calls, as well as video calls, images and other media, documents, and user location.

Unlike Signal, WhatsApp stores meta-data (data about the messages and message senders and receivers) and therefore does not qualify as a conduit, but as a business associate. However, WhatsApp will not execute a Business Associate Agreement and is, as a result, not a HIPAA-secure option.

Person Centered Tech gets a lot of questions about using WhatsApp because they advertise their service as “end-to-end-encrypted” and because they utilize the same open-source protocol as Signal, by Open Whisper Systems. Despite using the same encryption protocol as Signal, which we do recommend, WhatsApps’ storage of meta-data is where the two options diverge and why the HIPAA-security and recommendation outcome differ for the two otherwise very similar services. A “no” outcome for WhatsApp should not cause distress, though, because Signal is an excellent alternative that is both HIPAA-secure and free. For details about using Signal, please see our review here. For an Office Hours discussion comparing and contrasting WhatsApp and Signal, please see question/answer clip #3 by clicking here.