What is HIPAA-compliant messaging?

If you ask any smartphone owner what ‘apps’ they use on a daily basis, you will hear familiar names such as Instagram, Facebook, SnapChat, iMessage and WhatsApp. Suffice to say, these applications are such an integral part of people’s day to day, that by the very nature of their ease of use and value of connectivity, they have crept their way into the workplace.

So… why is this a problem when it comes to healthcare?

In the healthcare sector, there are mobile devices everywhere that are often being used at the point of care. In particular, clinicians at hospitals and healthcare organizations are using consumer text messaging and instant-messaging apps (which they use in their personal lives) to communicate and discuss patient details due to the convenience of these services. This can violate health privacy standards, including HIPAA by putting protected health information (PHI) at risk.


When we start to think about messaging PHI to colleagues, we need to understand the implications this may have on HIPAA. Let’s take a closer look at the fundamental principles of HIPAA to make sure we can adopt safe messaging practices in our organization.

What is PHI?

Under HIPAA, PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. *

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. **

The 3 Rules of HIPAA

The Privacy Rule


The Privacy Rule assures that individuals’ protected health information (PHI) is properly protected while allowing the flow of health information needed to provide and promote high-quality care. The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care. ***


The Security Rule


The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. ****


The Breach Notification Rule


HIPAA considers all PHI usage or disclosures that aren’t permitted under the Privacy Rule as a breach. If the breach affects more than 500 people, the HHS must be notified immediately. The HHS would post it on their website. The covered entity would also need to post the message on their website. *****

Where do consumer apps and text messaging fall short?

SMS/TextingSMS messaging is unencrypted and can be intercepted on public networks. SMS messages are also unaccountable and copies remain on telco servers indefinitely in plain text. The only resolution here is to exclude any PHI in messages sent via SMS.




WhatsApp messages are only encrypted in transit. Messages and photos on a device or in backup remain vulnerable and are stored in plain text and in personal camera rolls. WhatsApp does not authenticate or verify the users, so it’s easy to send messages to the wrong person by mistake. You require personal phone numbers to message individuals and clinical conversations can easily be mixed with personal chats.


Facebook Messenger


Facebook Messenger is the most popular messaging solution in the US with more than 100 million users. However, it is not HIPAA compliant because it contains no security features for access control, no encryption, and could allow unauthorized access to PHI.


So, what is HIPAA-compliant messaging?

HIPAA compliant messaging needs to meet the privacy and security rules of HIPAA. Here are some basic guidelines to look out for when selecting a HIPAA-compliant messaging app for your organization.

  • Ensure patient data is encrypted throughout the entire journey at rest and during transfer.
  • Restrict access of patient information to authorized users only, for example, the healthcare professionals looking after the patient.
  • Ensure the solution has robust, audited, and vetted technical, physical, and administrative safeguards that prevent unauthorized access of PHI.
  • Ability to audit records of sent messages to ensure compliance with HIPAA.

Breaching HIPAA has severe penalties including civil charges

Penalties for texting in violation of HIPAA are severe. A single breach of HIPAA can be fined up to $50,000 per day. Healthcare organizations that turn a blind eye to texting in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud. ******


We go above and beyond HIPAA requirements

At Celo, we approach HIPAA-compliant messaging with two lenses. Compliance and convenience. For organizations to ensure all staff remain compliant with HIPAA regulations, they need to provide a tool that organically builds in safeguards so that compliance is simply a byproduct of using the tool day-to-day.

Celo solves HIPAA compliance and convenient secure messaging in the following ways:

  • Easy to use, no training required solution that averages 85% uptake across an organization within 24 hours.
  • HIPAA compliant encryption during transfer and rest.
  • We provide a trusted healthcare network where we verify identity, workplace, and profession.
  • High trust mobile device security - we automatically lock the Celo app after transmitting PHI and this is accessible conveniently through biometric authentication such as fingerprint or facial recognition.
  • Patient photos are secure and separate from your personal photo library. We also never store patient photos on local devices, and instead, keep these safe and secure on our HIPAA compliant data centers.
  • Secure healthcare integration via FHIR - we integrate seamlessly with over 50 EHRs which means audit becomes automated and the source of truth of PHI remains in the EHR.
  • We utilize HIPAA compliant, encrypted and secure data centers through our partner Microsoft Azure. On top of this, fields containing patient data are protected with additional encryption.
  • We are regularly audited against HIPAA compliance and more than 15 other global healthcare standards. Learn more here.

We’re here to protect patient privacy, make clinicians' lives easier and deliver better patient outcomes - so Celo is free to use for individual health professionals and we offer an Enterprise version for organizations.

If you're ready to embrace the new normal and take your team's collaboration and communication to a whole new level get in touch to learn more about our free secure and compliant healthcare messaging app.




*** HHS.gov - U.S. Department of Health & Human Services https://www.hhs.gov/answers/hipaa/what-is-phi/index.html


**** HHS.gov - U.S. Department of Health & Human Services https://www.hhs.gov/hipaa/for-professionals/security/index.html


***** HHS.gov - U.S. Department of Health & Human Services https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html