Regulatory bodies are reporting that UK and US healthcare providers are using WhatsApp However, there are compliance concerns with sharing sensitive medical information over messaging apps. This article explores these concerns including recordkeeping, retention, and storage of messages, protection of PHI, and consent requirements, and provides potential resolutions.
Why do Healthcare workers turn to WhatsApp?
According to a 2019 survey, healthcare workers are using WhatsApp internally to share information with colleagues, manage agendas, and chat about clinical situations without patient-specific information. Externally, patients usually initiate WhatsApp interactions, by sending images and videos before appointments, asking healthcare questions, and providing updates on their health conditions.
People read and respond to texting and instant messaging much faster than emails. Therefore, healthcare professionals and patients like using this method of communication. It’s possible to send some chats without compliance concerns, but there are areas of ambiguity. For example, when it comes to communicating without using patient-specific information, providers may know not to use full names, but are initials ok? Such questions may need to be cleared up with stronger guidelines.
WhatsApp Compliance Concern #1: Recordkeeping, Retention and Storage
Global healthcare regulations enforce the need of medical recordkeeping. The World Medical Association (WMA) declares that clinicians must maintain clinical records of telemedicine consultations and protect personal health information (PHI). The WMA definition of recordkeeping is to maintain for each patient a “contemporaneous, chronological, secure, attributable, legible, traceable, permanent, original, accurate and date and time-noted health care record…”. The WMA definition of storage is “the safe retention of healthcare records, with enduring access for a defined retention period…”.
WhatsApp Compliance Concern #2: Protection of PHI
WhatsApp alone is not fully compliant with the GDPR regulation of the European Union, the Protection of Personal Information Act (POPI) in South Africa, Lei Geral de Proteção de Dados in Brazil, and HIPAA in the United States.
- Consumer WhatsApp and WhatsApp for Business can introduce privacy concerns because of the company’s data processing policies and contact sync feature.
- Using WhatsApp Business API is one of the best ways to use WhatsApp in a GDPR compliant way (such as by using the MultiLine WhatsApp connector).
- HIPAA rules for PHI
- It must be possible to terminate an individual’s access to PHI.
- It must be possible to monitor access to PHI.
- It must be possible to obtain emergency access to PHI if the account owner is unavailable.
- Encryption alone does not make software HIPAA compliant; it must be implemented according to the HIPAA Security Rule.
- Concerns for PHI on mobile devices:
- Lost/Stolen Phones – PHI on lost or stolen phones can lead to an investigation if there is a lack of documented consent for use of the non-compliant channel.
- Inadvertently sharing information – PHI inadvertently shared to the wrong parties on WhatsApp can lead to consent violations.
- Documenting Consent to share PHI
- Many countries have healthcare regulations that patient must give documented consent before information is shared over instant messaging.
- Patients must also give documented consent before information is shared with other health professionals or a group chat of health professionals.
- The HHS declares that providers can use WhatsApp if (1) the patient explicitly requests it and (2) the provider documents consent from the patient on the risk of using the noncompliant channel.
Resolving WhatsApp Compliance Concerns with MultiLine
The WhatsApp connector for MultiLine allows messaging directly from the MultiLine application using a WhatsApp Official Business Account and the WhatsApp Business API.
- Patients can message, including picture messages, with their provider with complete assurance that they’re talking with the right person.
- MultiLine automatically handles texting disclaimers and collects patient consent to message with WhatsApp.
- MultiLine users can group chat with patients, join and leave the conversation as needed, with the option to share or not share chat history.
- The Movius platform automatically captures all WhatsApp messages so they can be added to a patient’s electronic record.
- Recordkeeping: All WhatsApp messages are recorded, time-stamped, easily searchable and retrievable, and securely transferred to the healthcare agency’s archival system of choice, including MobileIron, Smarsh, NICE, GlobalRelay, and more.
- Retention and storage: Admin access to recordings stored on the Movius platform is strictly controlled and transparently auditable.
- Protection of PHI:
- No WhatsApp data is stored on the mobile phone, as WhatsApp is deployed within the MultiLine application.
- Movius encryption of WhatsApp messages are HITRUST and HITECH certified.
- Admins can remotely remove all MultiLine data and access from the device whenever needed.
- MultiLine automates the request and documentation of patient consent to receive communications over WhatsApp.
- MultiLine is completely GDPR-compliant.
- WhatsApp in Clinical Practice—The Challenges of Record Keeping and Storage. A Scoping Review | National Library of Medicine
- Brit healthcare body rapped for WhatsApp chat sharing patient data
- Use of WhatsApp in NHS ‘Widespread’ says doctors | BBC
- Using mobile messaging | NHS England
- Is WhatsApp HIPAA Compliant | HIPAA Journal
You May Also Be Interested In:
- MultiLine for Healthcare
- The Ultimate HIPAA Compliance Cure for Healthcare Companies Who Use SMS for Patient Communication
- HIPAA-Compliant Texting: what you need to know
- How Home Health Agencies Can Recover Revenues and Stay in Touch with Patients by Using MultiLine
- Technological configurations of hospitals to protect patient data
- How Our MultiLine Solution Helps Ensure Mobile GDPR Compliance