Is WhatsApp HIPAA-compliant?

Recent data shows that WhatsApp has over 2.24 billion monthly active users worldwide. 79.6 million in the USA, expected to reach 85.8 million by the end of 2023. In this blog, we share why WhatsApp and other consumer tools are not HIPAA-compliant.

WhatsApp in the healthcare environment

WhatsApp can be used for one-to-one communication, group chats, and more. It can be a key contributor to successful communication, but when it comes to healthcare it needs to be fit for purpose in the industry.

In the healthcare sector, there are mobile devices everywhere which are often being used at the point of care. For example, clinicians at hospitals or wider care teams that need to communicate remotely.

These healthcare professionals turn to consumer messaging tools or texting to discuss patient details due to the convenience of these services.

The danger of communication tools

When sharing Protected Health Information (PHI), care teams must communicate in a HIPAA-compliant way. Although WhatsApp is just one of the many consumer tools used for messaging, others include Facebook Messenger, iMessage, and texting.

These consumer-grade applications don't treat the data that's being communicated with the right level of security, meaning they fall short of health privacy standards, including HIPAA.

What's wrong with using WhatsApp for healthcare communication?

Using WhatsApp for sending patient health information (PHI) is a direct violation of HIPAA.

Here's why:

  • WhatsApp and texting are not compliant with HIPAA.
  • WhatsApp messages are only encrypted in transit. Messages and photos on a device or in backup remain vulnerable.
  • The servers owned by Facebook are not compliant with HIPAA.
  • You require personal phone numbers to message individuals.
  • Clinical conversations are easily mixed with personal chats.
  • Users are not verified and sensitive information can end up in the wrong hands.

Celo: an alternative to WhatsApp

Our secure messaging application is designed for healthcare professionals to communicate in a HIPAA-compliant environment.

Celo solves healthcare privacy risks.


Celo verifies users by identity and profession, so you can make sure you are talking to the right person. Celo also verifies healthcare organizations. The Celo healthcare messaging app is always pin code or biometrics protected.


All healthcare data is stored in a healthcare compliant Microsoft Azure Data Centre that is compliant with HIPAA, HITECH, ISO 27001, GDPR, HISO regulations and OAIC regulations. All data used by the Celo app and end user is also encrypted using sha256RSA.


All Celo data is stored securely on Celo’s compliant servers, which are healthcare grade encrypted, in your Celo secure library. No patient information is stored permanently on a Celo user’s device, including any clinical photographs captured.


Talk to our team about how Celo can improve the HIPAA-compliant communication culture in your organization to ensure your care teams and patients are not at risk of violations.


Complete the form below and our team will be in touch to give you a personalized demo: