What is WhatsApp?
WhatsApp is a communications application that allows you to send and receive text and voice messages from anyone in the world, without impacting your phone’s cellular or data plans. It’s the app of choice for international calls, and in many countries, WhatsApp is the most accessible form of communication, more so than email due to issues with internet connectivity or cost barriers to access.
WhatsApp offers end-to-end encryption making it an extremely private form of communication. This means that only you and your chosen recipient(s) have access to the content of your messages. WhatsApp does not store your messages on any of its servers.
What’s the problem with WhatsApp?
However, this does not mean that WhatsApp is suitable for clinical use, because there are several ways in which WhatsApp can pose a potential risk to client privacy. In some countries, these issues may not pose a problem.
In the United States and Canada, these aspects of WhatsApp mean that it may not be possible to use the app and remain compliant with HIPAA or PIPEDA or PHIPA. Specifically, the Office of the Privacy Commissioner of Canada in association with the Dutch Data Protection Authority found numerous WhatsApp features that violated PIPEDA.
GDPR, the privacy legislation covering the EU, prohibits commercial entities from processing personal data without express consent, and the integrations listed below would count as processing data.
WhatsApp accesses other applications on your device
WhatsApp connects with your phone’s contacts in order to make suggestions of people to add to your WhatsApp network. This connection is not secure, meaning that if you store client information in your phone contact list then you are sharing their personal information without your consent.
WhatsApp can also be configured to automatically save photos and videos to the photo library on your phone without the express consent of the owner of the photo. This can pose a particular problem for lactation consultants if clients are sharing photos of their breasts.
Say a client messages you a picture, and you have WhatsApp set to automatically download WhatsApp photos to your photo library on your phone or other device, you may also be sharing via a third party. For example, if you also have your phone or other device set to save all of your photos to iCloud, then your client’s photo is now shared on your iCloud, and anyone or any device that has access to your iCloud now has access to your client’s photo.
WhatsApp can save your message history
You can also configure WhatsApp to back up your message history to your local device, which can also mean that client information may be stored in a non-secure way.
WhatsApp doesn’t offer an audit trail
For HIPAA in particular, one requirement for compliance is an audit trail, meaning that you can see a complete record of all communications and deletions with time stamps.
WhatsApp doesn’t fulfill the “right to be forgotten”
While you can delete your own WhatsApp account, you can’t guarantee to your clients that WhatsApp has erased their personal information from their services, and this poses issues with GDPR’s right of erasure.
WhatsApp doesn’t offer a Business Associates Agreement (BAA)
HIPAA compliance in the US requires that you have a Business Associates Agreement. There is some debate about whether WhatsApp needs to have a BAA, because it might be considered a conduit since messages do not pass through their servers. But because WhatsApp offers functionality such as integration across multiple devices, this may not fulfill the conduit requirement.
What’s the best way to use WhatsApp?
WhatsApp is not true secure messaging, but it comes very close. Your clients may be fine with the level of security that WhatsApp offers, and they are allowed to choose that for themselves. Ethically, it’s a good idea to offer true secure messaging which can be found through platforms such as Signal and others. If you offer the option then your clients can opt out if it’s not convenient for them.
There are a few steps you can take to make WhatsApp as secure as you possibly can.
-
Disable the automatic download on WhatsApp, and recommend your clients do the same for maximum security
-
Prevent WhatsApp from accessing your contacts. Instead, require your contacts to initiate communication with you via the app.
-
Get informed consent from your clients before using WhatsApp to communicate with them. This means explaining the risks, and offering an alternative if they do not find the risks acceptable.
-
Have a secure alternative available for any client who wants it.
What are alternatives to WhatsApp?
For straight up messaging, Signal is the most secure and avoids almost all of the pitfalls of WhatsApp except for the requirement to maintain records. However, you can simply document your Signal conversations in your EHR platform or by some other secure method. Signal is free for you and free for your clients.
For more robust secure messaging, my favorite app is Spruce. Spruce is not free for you, but it is free for your clients and can also be used for secure video messaging, making it a great option for telehealth.
Many EHR platforms offer secure messaging. I have a comprehensive round up of the most popular platforms for lactation practice.
