WhatsApp has around three billion active users worldwide. It’s free, available on every physician’s phone in clinical settings, and convenient. One study in Cureus found that, in hospitals without formal guidance, most non-consultant hospital doctors were using WhatsApp to communicate clinical information.

When training was introduced, and an acceptable alternative was made available, the rate of sharing identifiable patient information fell from 97% to 81% (still high, but a measurable improvement). The study concluded that clinicians need more training on data protection responsibilities and that policy gaps encourage risky behavior.

 

What the compliance problem actually is

WhatsApp is not HIPAA compliant. The law requires any platform used to transmit electronic protected health information (ePHI) to meet technical, administrative and physical safeguards.

Three requirements are relevant here.

  • Business associate agreement (BAA): Any vendor that handles PHI on behalf of a covered entity needs to sign a BAA. WhatsApp won’t sign up. It’s one fact settles the compliance question for covered US-based entities.
  • Standard encryption: WhatsApp employs encryption to encrypt messages between users, but encryption in transit is one requirement of many, not a compliance endpoint by itself.
  • Access management and audit controls: HIPAA mandates that organizations know who accessed what information and when. There are no WhatsApp audit logs. It does not support role-based access control. It does not limit the forwarding of messages. A message containing patient information can be screenshotted, forwarded, or viewed on a personal device without a record and without a way to revoke access.

The record-keeping gap

Beyond the compliance requirements, there is a clinical documentation problem. The study Effects of Introducing a Secure Web-based Messenger Application for Communication Among Non-consultant Hospital Doctors (NCHDs) examined how clinicians who use WhatsApp in clinical practice keep records of those messages. After training in data protection and the introduction of a secure web-based messaging alternative, the sharing of identifiable sensitive patient information fell from 97% to 81%.

The researchers concluded,WhatsApp use is common among NCHDs. An alternative means of communication can improve the safety of patient data.The findings indicate a need for better clinician training, better guidance on data protection, and communication tools that comply with privacy safeguards, or else convenience could continue to outweigh privacy safeguards.

If a clinical decision is made, discussed or transmitted via WhatsApp and the conversation is not retained in the patient record, the organization has a documentation problem that goes beyond the conversation. The physician’s personal device becomes part of the medical record, an uncontrolled, unaudited part.

 

What the HHS has said

The Department of Health and Human Services (HHS) does not have a blanket ban on texting patients. It has been clear in what it has said that texting patient information among members of the health care team is permissible if done via a secure platform.

A lot of work being done by the word "secure" in that sentence. As Paubox has pointed out, iMessage and WhatsApp do not provide the security measures required to be HIPAA compliant. HIPAA compliance includes access controls, audit controls and encryption that are not typically available with these platforms.

The HHS position does leave one narrow exception. A provider may respond if a patient initiates contact on an insecure channel or explicitly requests to communicate on an insecure channel and has been advised of the risks. The exception has to be documented consent. It doesn’t give organizations a free pass to use WhatsApp for ongoing clinical communications.

 

The gap between confidence and reality

In a 2026 research study by Paubox on healthcare email security, 100% of healthcare IT leaders surveyed reported their ability to detect a breach was excellent or good. In the same group, 58% said their organization had been breached via email in the last two years. There is a pattern repeated across all communication channels. Organizations often believe that policies are sufficient simply because they have policies. The question is whether the platform in use will actually implement them. WhatsApp is not a secure messaging platform for healthcare purposes. It does not sign BAAs. It does not provide audit controls. It cannot be integrated into clinical documentation in a HIPAA compliant way. The fact that it is common does not make it compliant.

 

Why HIPAA compliant email platforms are a better starting point than secure text

The documentation advantage is structural

Even when using a compliant platform, text messaging creates messages that are not part of the medical record unless the organization has built specific integrations to pull those messages in. It’s another step in the workflow that a lot of practices never get to. Communication via email, especially through a healthcare-specific platform, is more easily stored, retrieved and exported in formats that satisfy audit requirements. There should be a message thread in the record about the patient treatment decision. It’s easier to enforce with SMS than with email.

A JMIR Cancer cross-sectional study found that adults who used email to communicate with their healthcare providers between visits had higher odds of receiving breast, cervical, and colon cancer screenings. The association was present across all three screening types, with adjusted odds ratios of 1.32 for breast cancer screening, 1.11 for cervical cancer screening, and 1.55 for colon cancer screening.

The researchers concluded thatemail PPC is a marker of increased likelihood of adults completing age-appropriate cancer screenings.They also noted that email communicationmay enhance traditional face-to-face communication between health care providers and patients.It makes email clinically relevant as more than a convenience tool, although the study does not directly compare email with text messaging.

 

The content capacity matters

Text works well for appointment reminders, quick confirmations and short updates. It is not the appropriate venue for sending lab results with explanatory context, summarizing a care plan, sharing referral documents, or communicating anything that requires the patient to have a lasting record of what was discussed. Secure texting is best for short updates, while HIPAA compliant email is better for more in-depth, non-urgent communication.

Physicians who reach for WhatsApp are often trying to do the second kind of communication through the first kind of channel. A WhatsApp test result is a format mismatch that increases the chance of misunderstanding, creates no patient record of the communication and cannot be referenced at the next visit.

 

The audit trail is built in, not bolted on

The HIPAA Security Rule requires covered entities to have audit controls in place to track activity in systems that create, maintain, or transmit ePHI. An email platform that is compliant will generate logs automatically as part of its normal operation. The record is there when a message is opened, forwarded or viewed on an unusual device. There’s no infrastructure for that in any consumer messaging app, and it has to be purpose-built into secure texting tools that aren’t always well integrated with EHR systems.

Paubox delivers HIPAA compliant email a signed BAA, and audit-ready infrastructure built in. Messages arrive in the patient's inbox without requiring portal logins or app downloads, removing the friction that leads clinical staff to bypass compliant tools entirely. For covered entities trying to move physicians off WhatsApp, that frictionless delivery matters as the compliant channel has to be easier to use.

 

FAQs

Why does auditability matter?

Auditability matters because healthcare organizations need to know who sent a message, who received it, when it was sent, and what information was disclosed.

 

Does encryption make texting safe enough?

Encryption helps, but it doesn’t solve the full compliance problem.

 

When is text messaging appropriate?

Text messaging may be appropriate for limited, low-risk reminders or administrative updates if the organization’s policies allow it and the message does not expose unnecessary protected health information.