WhatsApp Messenger, or WhatsApp for short, is a communication platform owned by Facebook that allows you to send text and voice messages and make voice and video calls. You can use it to share various media, such as images, documents, locations, and more.

Since WhatsApp is a popular and widely used messaging app, you may wonder  if it's secure enough to be used in healthcare. So the big question is:

Is WhatsApp HIPAA compliant?

In short, no, WhatsApp is not HIPAA Compliant. Let’s explore why.

If it’s used for transferring electronic PHI, WhatsApp is legally considered a business associate (BA) of the healthcare provider employing it. In order to be HIPAA compliant, a BA needs to enter into a business associate agreement (BAA) with the HIPAA covered entity. This agreement outlines all the safeguards that need to be put in place in order to ensure the protection of PHI.

WhatsApp is a consumer app, and there are no indications anywhere that Facebook would sign a BAA with any organization. This fact alone makes WhatsApp non-HIPAA compliant by default.

One of the major features that make medical professionals consider WhatsApp is its end-to-end encryption of all communication. This is a great security feature that allows only the sender and receiver to see the transferred data. However, WhatsApp doesn’t have any access and authentication controls in place to prevent unauthorized access. 

Encryption is useless if anyone can take a person’s phone, open their WhatsApp freely, and view the sent content. Once you install the app on your device, it doesn’t require you to enter a password to open it. It is always accessible. This constitutes a severe violation of the HIPAA Security Rule.

We can safely conclude that, due to its security shortcomings and Facebook’s unwillingness to enter into a BAA, WhatsApp is not HIPAA-compliant and healthcare providers shouldn’t use it to contact patients. 

There are many other reasons that WhatsApp isn’t the best choice for healthcare businesses. 

WhatsApp doesn’t integrate with EHRs.

Ideally, your communication platform should integrate with your EHR. WhatsApp doesn’t integrate with any EHRs, and your staff will have to coordinate information between the two platforms. This means having to enter all the relevant data twice, which leaves much room for error. When your patient communications platform integrates with your EHR, you only have to enter appointments and other notes once. Patients receive text and email appointment reminders with the video chat links without any additional work from your staff.  

WhatsApp uses personal phone numbers.

In order to communicate with patients via WhatsApp, your staff will have to use their personal numbers. One workaround for this issue is to have a dedicated mobile device with a business mobile phone number. 

However, both of these options are highly impractical for the following reasons:

  • In the former scenario, your patients may be confused by multiple phone numbers.
  • In the latter, either only one person will be able to communicate with patients or the mobile device will have to physically change hands.
  • PHI isn’t secure on staff’s personal phones.
  • PHI isn’t secure on any phone without access controls.
  • No one wants to use their personal number for business purposes.
  • Patients won’t recognize multiple numbers and won’t trust or answer calls or messages.

Fortunately, options like Curogram exist, providing  a centralized communication platform with appropriate encryption and access controls. Only authorized personnel  can see patient messages and chat histories. 

WhatsApp can’t send automated reminders.

Appointment reminders are essential to reducing patient no-shows. In person and online consultations are easy to forget, especially when scheduled several weeks or even months in advance. 

WhatsApp doesn’t integrate with your schedule, so it can’t send appointment confirmations and reminders automatically. Your staff hasto text or call everyone individually, which is inefficient and time-consuming.

Patients prefer text-based communication as it’s more efficient and takes less time than phone calls. Moreover, SMS text messages are the first to pop up on your patients’ phones, as they are not tied to any app that might have notifications turned off.

WhatsApp doesn’t have message templates. 

SMS templates can save your staff a lot of time. Your staff probably answers the same questions several times a day. With WhatsApp, they’d need to manually type and send the same message over and over again. 

The best you can do in WhatsApp is to perform a chat search, copy-paste the text, and adjust it for a new patient. This can lead to mistakes and PHI accidentally being shared with other patients.

WhatsApp doesn’t allow you to send smart rating requests.

Online reviews and ratings can make or break your business. A bad review is notoriously difficult to convert into a positive one, and it has a significant impact on how people perceive your practice. Your platform for communicating with patients should have some kind of a reputation management feature to help you reap five-star ratings.

If you use WhatsApp, all you’ll be able to do is pester your patients to go online, find your practice, and rate it on Google or Yelp. This can seem pushy, and it’s often a lot of work for the patient.

WhatsApp is not an adequate telemedicine solution.

You shouldn’t use WhatsApp for telemedicine sessions. While WhatsApp offers video and voice calling features, they are basic and can only be used on mobile devices. 

WhatsApp Web doesn’t support video and voice calling features, which means you and your patients would have to talk while trying to keep your phones steady. There’s no way to view anything else on your device, like important patient documents such as test results or patient charts, while having a video meeting. 

Now that you understand why WhatsApp isn’t HIPAA compliant or appropriate for healthcare communications, let’s review what your patient engagement and telemedicine platform should include. 

What does a patient engagement or telemedicine platform need?

If you’re looking for a patient engagement and telemedicine platform, WhatsApp certainly won’t do. You need a platform that combines secure, HIPAA compliant communications, automated messaging, and video conferencing. Your telemedicine and patient engagement solution should have the following features:

It should be easy for patients to use.

You need a solution that’s as easy to use as WhatsApp or even easier. You may have patients who aren’t  tech-savvy and don’t have WhatsApp or even use smartphones.

You need software that can send auto-generated appointment reminders and telehealth links to patients. Then, all your patient has to do to join the  appointment is click the link. When they click the link, they enter the virtual waiting room where a nurse or an MA helps them prepare or they’re prompted to complete any necessary paperwork online. Once the patient is ready, the provider takes over. After the consultation, a nurse gives them any necessary post-visit instructions and documents.

It should replicate in-person visit workflows.

You need a platform that mimics the workflows everyone’s already used to — including doctors, nurses, and patients. You, your staff, and your patients don’t waste time with unnecessary steps, streamlining your processes and the patient experience. .

This is something you can’t achieve with WhatsApp. It doesn’t have waiting rooms and, once an MA calls the patient (or the patient calls them), doctors and other staff can’t join or exit the call without ending it. 

It should include a secure patient messaging platform.

As we have mentioned, WhatsApp offers end-to-end chat encryption but doesn’t provide proper access controls and a centralized platform. This means electronic PHI could easily get compromised.

You need a platform where you can keep track of all communication threads in one place, including text messages, emails, and phone calls as well as patient forms and documents. 

It should include a secure staff messaging platform.

WhatsApp group chats are not appropriate for professional healthcare internal messaging. As mentioned, WhatsApp doesn’t include any access controls which means that anyone who sees a phone screen could access PHI. Additionally, as most people use WhatsApp on their phones, any professional messages would be lost among personal messages. 

The HHS allows the use of non-HIPAA compliant solutions during the Coronavirus crisis.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a Notification of Enforcement Discretion. This regulation allows the use of non-HIPAA compliant remote communication technologies during the coronavirus emergency among healthcare providers.

OCR made this temporary regulation to help medical providers reach everyone easily wherever they are during the public health crisis. This regulatory body will exercise discretion and won’t impose penalties for using non-HIPAA compliant communication solutions for as long as the public health emergency lasts.

However, the notice states that consumer messaging apps and services such as Facebook Live, Twitch, TikTok, and similar public facing video communication applications should not be used in the provision of telehealth by covered health care providers.

Curogram is a 100% HIPAA compliant telemedicine and patient engagement platform for healthcare providers.

Instead of relying on consumer apps such as WhatsApp just because they are familiar and free, you should invest in a patient engagement and telemedicine platform designed specifically for  healthcare. Curogram is a HIPAA compliant web-based patient engagement and telemedicine solution. 

Curogram includes automation features that reduce or eliminate  time-wasting front desk tasks, improve staff efficiencies, and increase patient satisfaction. It also allows you to set up a virtual clinic and have online telehealth appointments with your patients.

Curogram can send two-way SMS auto-reminders and messages to your patients, allowing patients to respond directly and have a real person answer their follow-up questions. Your staff can customize reminders based on sending times, appointment types, and more. 

Curogram telemedicine includes a virtual waiting room where you can see who’s ready and waiting to meet with you. It facilitates sending medical documents, including secure web-based intake forms and visit summaries straight from the EHR, and has many other helpful features.




Local business text number to use from the web



EHR integration



Automated reminders



Advanced Waiting Room Management Tools



Patient Intake Forms and Payment Requests



Adequate telemedicine solution



When you want to send sensitive patient data to your medical team or patients, choosing WhatsApp as a platform to use is not a smart decision. Not only do they risk sensitive health information and your practice’s reputation, but most consumer-grade messenger apps aren't fit-for-purpose in the medical industry. Always offer a HIPAA compliant and secure solution to your patients and organizations.