by Kapua Iao
Article filed in

Is Workplace HIPAA compliant?

by Kapua Iao

Workplace logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to correctly communicate with other providers and patients while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.

Today, we will determine if Workplace is HIPAA compliant or not.

About Workplace

Launched in 2016, Workplace from Facebook (now Meta) is a communication tool that connects groups of people, even if remotely. Facebook is the world’s largest social network with over 3 billion active users; more than half of them log on every day.

RELATED: Is Facebook HIPAA compliant?

Workplace facilitates online group work, instant messaging, video conferencing, and news sharing in a collaborative environment.

Facebook discontinued its free accounts for Workplace in February 2021. Pricing plans depend on the number of viewers with add-ons available.

Workplace and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, Workplace is a business associate of a healthcare organization if any stored or transmitted data includes electronic PHI (ePHI), like a name or an email address.

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

Similar to other social media platforms, Facebook will not sign a BAA with covered entities.

RELATEDSocial media & HIPAA compliance: the ultimate guide

Moreover, a paragraph in its Workplace Online Terms states, “With regard to health information, you acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in [HIPAA] and that Workplace is not HIPAA compliant.”

Workplace and cybersecurity

As emphasized in the online terms, customers “agree not to submit to Workplace any information or data that is subject to safeguarding and/or limitations on distribution pursuant to applicable laws and/or regulation.”

Nevertheless, Facebook uses strong cybersecurity measures to ensure customer data remains confidential. This includes password management, user access management, and encryption of the network as well as data in transit.

RELATED: Encryption at rest: what you need to know

Moreover, its Workplace Security Guide states that Workplace utilizes three principles when it comes to security.

  • You own your data
  • Strict controls on data access
  • Workplace and Facebook are separate platforms

Is Workplace HIPAA compliant?

The BAA is a key component of HIPAA compliance and Facebook does not sign a BAA and states that Workplace is not HIPAA compliant.


Workplace is not HIPAA compliant.

Try Paubox Email Suite for FREE today.