Paubox blog: HIPAA compliant email made easy

Is the disappearing message feature HIPAA compliant?

Written by Kirsten Peremore | February 07, 2024

The disappearing message feature is not HIPAA compliant for transmitting protected health information (PHI). It conflicts with HIPAA’s requirements for retaining medical records and ensuring the availability of audit trails.

 

What is a message disappearing feature?

The message disappearing feature automatically deletes messages after a set period, enhancing privacy and security in digital communication. Users activate this feature in their chat settings, specifying the duration before messages vanish, ranging from seconds to days after being read or sent. This functionality is used across various messaging platforms, including secure messaging apps like Signal, WhatsApp, and Telegram. The feature is especially popular in contexts requiring confidentiality, such as conversations involving personal data, business secrets, or any information users prefer not to remain accessible indefinitely.

See also: HIPAA Compliant Email: The Definitive Guide

 

Why the disappearing messaging feature is not HIPAA compliant

The disappearing messaging feature does not meet HIPAA regulations, particularly concerning the retention of PHI and the maintenance of audit trails. This means it cannot be used in any communications relating to PHI. Specific reasons include:

 

Automatic deletion of messages

Disappearing messages are designed to automatically delete after a certain period, which prevents the retention of PHI. HIPAA mandates that covered entities and business associates retain medical records and other related information for a minimum period, typically six years, depending on the state laws. The automatic deletion feature directly conflicts with this requirement, as it could lead to losing health information that needs to be preserved.

See also: Laws that affect text message marketing compliance

 

Lack of control over information lifespan

With the disappearing messaging feature, healthcare providers have limited control over the lifespan of messages containing PHI. Once a message is set to disappear, retrieving or preserving it for the required retention period becomes challenging, if not impossible. This situation can lead to non-compliance with record retention regulations.

 

Inadequate documentation and tracking

Audit trails are vital under HIPAA for tracking access to and the handling of PHI, allowing for monitoring compliance and investigating potential breaches. The disappearing messaging feature inherently prevents the creation of a comprehensive audit trail because messages are deleted and, consequently, unavailable for review or auditing purposes.

 

Lack of accountability and traceability

Without a permanent record of communications, holding individuals accountable for their actions or tracing unauthorized access to PHI becomes difficult. This lack of traceability can complicate efforts to assess compliance with HIPAA standards and to investigate incidents involving the mishandling of PHI.

 

Risk of unauthorized access

Unauthorized people can access messages if the device or platform is compromised before they disappear. 

 

Compromised patient care

The loss of messages containing critical health information can result in gaps in patient care continuity. This can lead to healthcare providers lacking the necessary information to make informed decisions, which could potentially impact patient outcomes.

See also: Is SMS messaging HIPAA compliant?

 

FAQs

When can disappearing messages be used in a healthcare setting?

Healthcare teams may use disappearing messaging for non-patient care communications that require added privacy and have no effect on healthcare services' quality or continuity.

 

Is WhatsApp HIPAA compliant?

Whatsapp is not HIPAA compliant. 

 

What is a HIPAA compliant text message?

It is the secure transmission of PHI through text messaging