Is Facebook Messenger HIPAA compliant?

In the healthcare and medicine industry, doctors, physicians, patients, and nurses might need to send information to one another urgently. As you well know, the difference between life and death could be just a few minutes. That could be time taken for a message to move from one device to another. And while the use of the patient reminder app has chat features, there are medical practices that don’t have such a platform. They rely on chat platforms that are easily available on any device. One of the common and popular social media platforms with a solid messaging service is Facebook Messenger. While it is reliable, is it acceptable to send protected health information via the platform? Is this acceptable? Does Facebook Messenger meet the regulations presented by HIPAA?

Most of us are familiar with Facebook Messenger. It is a messaging platform that works in tandem with the social media website, Facebook. It is a messaging service that allows Facebook users to send each other messages, photos, videos, and other forms of audio and video files. The service has undergone some facelifts over the years since its initial release in 2011. Currently, Facebook Messenger is available in a Desktop version and is supported by both Windows 10 and macOS.


The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA was propagated by the Department of Health and Human Services. The key mandate of the Act was to provide regulations that would protect health information, guaranteeing its privacy and security.

There are two rules which are referred to again and again in the HIPAA: The Privacy Rule and the Security Rule. The Privacy Rule (known also as the Standards for Privacy of Individually Identifiable Health Information) promoted the protection of health information. The Security Rule on the other hand established regulations that protected health information that is either being held or being transferred in electronic form.


Therefore, for a medical practice to use any messaging service, they must ensure that there are security protocols that guarantee the security of that data. While in transit, health information cannot be intercepted. Also, there is the matter of encryption.

Encryption is not such a new issue in the social media industry. Many platforms encrypt data. With regards to that, Facebook Messenger can be considered compliant with HIPAA regulations. However, the standards put forth by HIPAA include more than just regulation.

HIPAA demands that only authorized individuals be able to access the data sent. This means authentication and access controls. If your phone or laptop was to be stolen, a third party may have access to your profile.

HIPAA also requires that there be an audit trail. Health information sent must be able to be tracked. Through the use of hardware or software, the audit trail should be as clear as day. Facebook Messenger allows for a party to delete their messages once sent.

In conclusion, Facebook Messenger does not meet the standards promoted by the HIPAA and therefore, not compliant.  

Back To Top