Is Signal HIPAA compliant?

Featured image

Share this article

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast. And it is important to work well and communicate with patients while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward healthcare technology communication and the increase in cyberattacks against healthcare organizations.

Today, we will determine if Signal is HIPAA compliant or not.

Read more

About Signal

Signal is a free, open-source messaging app developed by the nonprofit Signal Foundation and its subsidiary, the Signal Messenger LLC. There are currently about 40 million monthly active users.

With this app, you can share texts, voice messages, photos, videos, images and files with other users as well as non-users. The app is available on iPhones and Android phones, which makes sending messages convenient and effortless.

SEE ALSO: Texting tools and HIPAA compliance: The ultimate guide

For covered entities, text messages can do many tasks, like sending appointment reminders and improving patient experience. But when deciding to use a texting tool for patient communication, it is important to understand HIPAA compliance.

Signal and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involve PHI.

Signal is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI). This could be something as simple as a name or a phone number.

SEE ALSO: Guide to Privacy and Security of Electronic Health Information

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

Currently, there is no mention of a BAA on the Signal website. In fact, several reviews of the company suggest that it does not need to sign a BAA. HIPAA includes exceptions for when covered entities need BAAs, and the company may fit within the following:

“With a person or organization that acts merely as a conduit for [PHI], for example, the U.S. Postal Service, certain private couriers, and their electronic equivalents.”

To understand if this is a possibility, covered entities must learn further about what Signal does with PHI.

Signal and cybersecurity

Signal states that it does not store personal data on its servers, which may make it a conduit since information passes from one user to another. In fact, Signal, as a nonprofit foundation, is firm that the company does not collect or sell data.

Users store the phone numbers of those they know locally on their phones. But the company does keep its users’ phone numbers stored on its servers. Technical data on the servers are stored as randomly generated tokens, keys and push tokens.

Signal does not focus on encryption at rest, only in transit.

RELATED: Encrypting HIPAA-related data in transit: What you need to know

Accordingly, all interactions utilize end-to-end encryption between Signal users. The company always automatically enables it. And client-server communication is protected by TLS encryption. Unfortunately, this only works for communication between two people who have downloaded the Signal app.

Is Signal HIPAA compliant?

If Signal qualifies as a business associate, it must include technical and administrative safeguards to secure PHI.

SEE ALSO: Understanding and implementing HIPAA rules

The company claims that its security and privacy features are superb and many within the security world agree. However, the BAA is a key component of HIPAA compliance, and Signal does not appear to sign a BAA. Even if the company does not need to sign a BAA, a cyberattack can still occur. And if a data breach or HIPAA violation does happen and any PHI (including something as simple as a phone number) is accessed, the covered entity is liable.

Conclusion

Signal is not HIPAA compliant.

“Paubox is awesome!”

Jeff L.

Oct 27, 2022

Summary

We looked at several solutions and the biggest issue is that almost all other solutions were portal-based and not in-line/real-time encryption and filtering like Paubox. Our C-team did not want our customers to have to go to the portal for each email exchange, and Paubox delivers a simple way to ensure the highest level of security while providing the easiest path for email interchanges.

5
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022