Is Facebook Messenger HIPAA compliant?

Posted by Michael Hsu on 7/26/19 12:45 AM
Michael Hsu

Facebook Messenger, also known as Messenger, is one of the most popular instant messaging apps owned by Facebook that has evolved a lot over the years. Apart from texting, it can be used for video and voice calling and sending various media files, such as photos, audio messages, documents, etc.

Many healthcare providers are wondering if they can use Facebook Messenger for remote communication with their patients. The answer to that question depends on whether the platform is HIPAA compliant.

Is Facebook Messenger HIPAA compliant?

If you want to use a messaging app to transfer protected health information (PHI), the provider of the app is considered your business associate (BA) under HIPAA. This means you have to sign a business associate agreement (BAA) with them that ensures they will also need to adhere to the HIPAA Rules. By signing this contract, you both agree to put safeguards in place to keep PHI private and secure.

Facebook won’t enter into a BAA for Messenger with anyone. This automatically makes it non-HIPAA compliant. Consumer app providers are unlikely to sign this contract in general. That is because these apps were not made to transfer confidential information in the first place. Your chances are better with apps aimed at businesses.

Even if a provider is willing to enter into a BAA, that doesn’t guarantee that the app is HIPAA compliant by default. You are usually required to configure the app yourself, and the provider may or may not provide guidance on how to do so. 

Facebook won’t sign the agreement because they know that the app can’t be made compliant. Messenger doesn’t have the following technical safeguards in place mandated by the HIPAA Security Rule:

  • Access controls
  • Audit controls
  • Transmission security

Access controls

Messenger lacks access controls and authentication measures to prevent unauthorized access. Once a user sets up the app, they don’t need to confirm their identity every time they want to open it. This means that if someone takes their phone or it gets stolen, they’ll be able to see anything that was sent and received.

Audit controls

Another thing to have in mind is that Messenger doesn’t allow for audit controls. There is no way to maintain activity logs. The lack of this feature means that you can’t keep track of activities affecting PHI and see if—or when—a breach occurred. 

Transmission security

BAs are also obligated to have safeguards that guarantee the security of data in transit. This is usually achieved through encryption, and end-to-end encryption is the norm. It makes data readable only for end-users, and not even the provider can view it. 

Messenger does offer this kind of encryption, but you have to enable it yourself. You do so by starting what they call a “secret conversation.” Facebook plans to make all chats end-to-end encrypted, but they haven’t specified when.

As Facebook won’t sign a business associate agreement, and Messenger doesn’t have all the HIPAA technical safeguards in place, the app is not HIPAA compliant.

You can use non-HIPAA compliant solutions during the coronavirus national emergency (but shouldn’t)

The HHS’s Office for Civil Rights (OCR) has issued a regulation that grants healthcare providers permission to use non-HIPAA compliant remote communication platforms during the COVID-19 emergency. This regulation was put forward due to concern for the general public health. It is supposed to aid people in receiving medical care wherever they are.

This OCR’s notification makes it possible to use Facebook Messenger for telemedicine purposes without risking any penalties as long as the national emergency lasts. This doesn’t mean you should, though.

There are many disadvantages to using a non-compliant solution, including the following:

  • You won’t be able to continue using it when the emergency ends
  • You’ll miss out on all the special features that healthcare-specific solutions offer
  • Your patients’ PHI might get compromised

Bear in mind that HIPAA exists for a reason, and its purpose is to help you protect private patient information. If you fail to do so, your patients will suffer, and so will your reputation.

Choose a HIPAA-secure alternative—Curogram

With Curogram, you don’t have to worry about configuring anything. Our platform for telemedicine and two-way messaging is fully HIPAA compliant. Using Curogram, you can communicate with your patients remotely without worrying about security, which is not the case with Messenger.

More than 5,000 satisfied customers can attest to the convenience and practicality that Curogram guarantees. Our platform is feature-rich and easy to use, and we can offer something not many providers can—we’ll integrate with any EHR in under 48 hours.

Instead of stumbling your way to telemedicine with Facebook Messenger, you should go for Curogram and save yourself a lot of trouble. The former is not suited for use in healthcare, and you’ll feel this on your skin as soon as you incorporate it into your work.

Here are some problems you’ll encounter using Messenger for telemedicine:

  1. Messenger can’t be used for secure document transfer
  2. Messenger doesn’t integrate with your EHR
  3. You can’t send automated appointment reminders with Messenger
  4. Messenger doesn’t have waiting rooms
  5. Messenger doesn’t support the workflows of your doctors and staff

Messenger can’t be used for secure document transfer

As Messenger communication is not fully encrypted, you can’t transfer PHI through it and expect it to be safe. 

An interesting thing about Messenger is that the standard Android app doesn’t even feature an option for document sharing, whereas its “leaner” counterpart, Messenger Lite, does. It is obvious that Messenger wasn’t made for transferring medical data in the first place.

Curogram allows you to exchange PHI with your patients in a completely safe way. Our patient app is the only HIPAA-secure mobile app for document transfer. We’ll digitize your standard forms for you so that your patients can fill them out and sign them electronically. Once your patient completes an intake form, you receive it automatically as a PDF file. 

You can also pull out documents straight from the EHR and not have to store them in various places on your computer.

Messenger doesn’t integrate with your EHR

A consumer app such as Messenger can’t offer you integration with your EHR. This is a major drawback that will eat up a lot of your time due to double data entry. You can’t sync appointments with patient medical records and can’t manage a single schedule.

Our platform syncs with your EHR for better functionality. It integrates with over 700 EHRs, which makes it highly flexible. Thanks to our proprietary technology, Curogram doesn’t rely on complicated HL7 interfaces. We can sync the platform with your EHR in 48 hours and save you up to six months. That’s how much it usually takes for a telemedicine solution to integrate with an EHR.

Curogram EHR integrations

Allscripts

Prime Clinical Systems

AdvancedMD

eClinicalWorks

Kareo

Greenway

Epic

Practice Fusion

DrChrono

NextGen

You can’t send automated appointment reminders with Messenger

Messenger doesn’t sync with your schedule calendar, so it can’t generate auto-reminders. Reminders for virtual clinic appointments are vital if you don’t want your patients to forget about them. It’s easy to lose sight of an online visit because it doesn’t take much preparation. A patient could be watching a TV show or cooking and have the appointment slip their mind minutes before it is scheduled to start.

Curogram’s intelligent reminders save our clients tens of thousands of dollars a year they would have lost on no-shows. You can customize them for different types of visits and set up their frequency. Curogram is sending 500,000 smart reminders every month and reducing no-show rates by 75%.

We utilize a two-way SMS messaging system for sending reminders to patients. This means that, even though messages are auto-generated (based on your custom templates), patients can respond to them. You’ll receive their response and be able to continue to chat with them directly from the web dashboard.

Messenger doesn’t have waiting rooms

A patient waiting room is an integral part of any in-person doctor’s appointment. It allows nurses to check in patients and prepare them for the appointment.

Messenger doesn’t have a virtual waiting room that allows you to see who’s in and waiting for the appointment. Patients can message you when they are ready, but a doctor will be busy talking to the patient on call and won’t be able to answer. If you have one Messenger account for your clinic, doctors and nurses won’t be able to work simultaneously.

Curogram has a virtual waiting room that allows your doctors and nurses to resume their standard roles. You can see who’s in the waiting room at all times. Nurses can onboard the patients who are waiting, while doctors focus on appointments. While they’re waiting, patients can attach whatever documents the doctor will need to see.

Messenger doesn’t support the workflows of your doctors and staff

As we’ve said, with one Messenger account, your doctors and staff won’t be able to retain their workflows. They can’t be on multiple calls at the same time, which means the process will be painfully slow. 

This might even force doctors to do the patient onboarding themselves. Instead of going in and out of appointments, doctors will have to waste time and will be able to see much fewer patients a day.

Even if you register multiple accounts, your doctors will have no way of knowing whether the patient is ready. Nurses won’t be able to tell when doctors are done with patients so that they can take over and give them any further instructions, prescriptions, etc.

Our platform allows your doctors and nurses to do their job smoothly. Once the patient opens the auto-generated visit link, they enter the flow and are guided by staff as they would be in person. The transparency of the waiting room allows your staff and doctors to coordinate their duties with no problems.

 

Facebook Messenger

Curogram

Secure document transfer

No

Yes

EHR integration

No

Yes

Automated appointment reminders

No

Yes

Virtual waiting room

No

Yes

Doctor and staff workflows

No

Yes

Four common issues when transitioning to telemedicine

If you’re going remote because of the public health emergency and think any app will do during that time, you need to consider the following things:

  • There’s still no vaccine for coronavirus, and it may come back for the second wave
  • Telemedicine is the future of healthcare. If you don’t jump on the bandwagon, be sure your competitors will
  • You can do both in-person appointments and telemedicine. It will provide you with a new revenue stream

Bear in mind that transitioning to telemedicine fully will be hard. You’re sure to encounter problems along the way. Here are some of them:

  1. It might be difficult for your patients
  2. Your doctors might struggle
  3. Your staff might struggle
  4. You might experience billing problems

It might be difficult for your patients

Your patients might find it hard to adjust to the new way of communicating with your clinic. If you choose to reach out to them via Facebook Messenger, you’ll make it even harder. Not all of your patients use the app or are willing to download it. Your older patients could find it difficult to set up the app at all. Messenger can also get glitchy in between updates, which can result in missed reminders and calls from you.

If you use Curogram, you can contact all your patients via SMS. This is a universal channel for communication, and it doesn’t require any downloads. Your messages won’t get lost between phone updates. Patients prefer SMS texting to phone calling for making arrangements, scheduling, and rescheduling. You can give them this with Curogram.

Your doctors might struggle

If you go for Messenger, your doctors won’t have the usual support from nurses, MAs, and other staff. They’ll have to contact and onboard patients themselves and lose a lot of time dealing with administrative issues. Instead of focusing on patient care, they’ll have to deal with technical issues and endless data entry.

Curogram allows doctors to resume their work as usual. It is not a doctor’s place to solve IT problems and organize the administrative mess. Our platform provides them with all the tools to do their job, while the staff takes care of the rest. They can even have an assistant with them during visits to take notes and make appointments as efficient as possible.

Your staff might struggle

While doctors are stuck doing all the work before, during, and after appointments, the staff will have to figure out how to organize the schedule, reach the patients, and send and collect all the necessary documentation. They’ll have to remind patients about their appointments manually, which will take a lot of time and effort.

Being able to contact someone on Messenger doesn’t necessarily mean you have their phone number. If a patient is unresponsive on this platform, your staff will have trouble reaching them without having their number.

Scheduling and rescheduling appointments will be a mess as nurses or MAs will have to input all data twice and be careful not to make mistakes. You’ll need a dedicated person to keep track of all the appointments and remind everyone in time.

Curogram automates many front desk tasks, such as sending out reminders, and allows your staff to breathe. It will help you increase staff utilization. Your nurses won’t have to waste time doing administrative work and will be able to focus on preparing patients, giving out instructions and prescriptions, etc.

You might experience billing problems

It’s easy to lose track of billing if you don’t have a proper way to document everything. You’ll need tools to keep track of your appointments and have everything about each visit neatly organized. If you don’t get a healthcare-specific tool, your staff will be forced to keep folders full of PHI on their personal computers, which is not secure.

Curogram lets you and your patients exchange files in a secure way and tie those files to individual appointments. That way, you’ll have all documentation organized and stored in a HIPAA-secure way. 

Insurance companies might require you to verify prescribing some medicine, e.g., opioids, to a patient. You’ll have to screenshot this for proof. Instead of saving these screenshots on your PC, Curogram lets you make in-app screenshots, which will be saved as part of the appointment documentation.

What you’ll get with Curogram as a telemedicine solution 

You’ll experience many benefits with Curogram in the long run. The most important ones include:

  1. Increase in patient volume
  2. Satisfied employees
  3. Revenue increase

Increase in patient volume

As doctors and nurses resume their standard duties, you’ll tend to your patients in a much more efficient way. Your doctors will be able to go in and out of visits, which will allow them to see more patients each day.

Curogram’s intelligent reminders will help you eliminate no-shows and late cancelations as well. It has helped some of our clients reduce their no-show rates by as much as 75%.

Satisfied employees

You won’t have to worry about the stressed-out staff as everyone will have the right tools to keep up their work. Curogram also offers the possibility of setting up group chats where your staff can communicate in a secure way and have all they need in one place.

Revenue increase

More patients and a dynamic work atmosphere mean more money for your clinic. Curogram will make your online clinic profitable. Even if you discontinue your online visits after some time, Curogram’s two-way messaging platform will reduce your phone call volume by more than 50%. This will lead to a decrease in overhead costs and let your staff do tasks more useful than sitting on the phone.

Wondering if other solutions are HIPAA compliant?

Are they HIPAA compliant?

Is Zoom HIPAA Compliant?

Is RingCentral HIPAA Compliant?

Is WhatsApp HIPAA Compliant?

Is Google Hangouts HIPAA Compliant?

Is FaceTime HIPAA Compliant?

Is GoToMeeting HIPAA Compliant?

Is Google Voice HIPAA Compliant?

Is HelloFax HIPAA Compliant?

Is eFax HIPAA Compliant?

Is Skype HIPAA Compliant?

Is Email HIPAA Compliant?

Is Texting HIPAA Compliant?

Is Slack HIPAA Compliant?

 

Patient 2-Way Texting

Curogram provides “All-In-One” texting and HIPAA compliant messaging platform for independent practices, physician groups, and clinically integrated networks.

Subscribe Here!

Recent Posts