Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. We happily encourage therapists to consider the costs and benefits of using Signal, and hope many will adopt it. Please ensure you understand its proper use and make procedures for its proper use before introducing it into your practice.
# of Caveats: 0 view caveats→
# of Usage Notes: 0 view notes→

Relevant Product Characteristics

  • This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.

What Is This Product?

This review is public. Generally, our HIPAA-propriateness reviews are only available to members of Person-Centered Tech Support, but this one is special. If you want access to all of our HIPAA-propriateness reviews, please subscribe to Person-Centered Tech Support today.

 

Signal Android IconSignal is a free and open source texting app that works on iPhones and Android phones, and is highly private. It is intended to be private enough to prevent anyone but the people involved in a conversation from being able to read any messages in that conversation.

We made this review public because Signal is a service to the public. Although it is created by a company, Open Whisper Systems, the purpose of Signal is to be of public value. It is funded by numerous private and non-profit donors, and it is endorsed by security luminaries such as Edward Snowden and Bruce Schneier.

This is all great, and we strongly endorse the use of Signal. That’s not just because it’s secure, but also because it’s easy to use and is likely to be a very effective “gateway” for therapists and clients to start taking secure communications more seriously. Once again, we strongly encourage therapists to consider the costs and benefits of using Signal in their practices if for no other reason than the fact that it is likely to be a convincing way to get clients to use a truly secure option when they text with their therapist.

That said, Signal is easy to use for secure communications. However, its highly private nature makes it harder to document the messages you exchange using it. Please read the notes below quite carefully, and ensure you have a set of procedures in place for using Signal properly before you introduce it into your practice. Consider that if maintaining the procedures you need to use Signal and be HIPAA compliant are outside your capabilities, there are paid options out there for secure texting that provide more support for your HIPAA-and-ethics-related documentation needs. See our article on documenting texts and emails for some guidance.

Wait. They don’t do a Business Associate Agreement.

Our careful analysis of the way Signal handles PHI leads us to believe that they qualify as a conduit under the HIPAA Business Associate Rule. Very few software packages can claim that distinction, but Signal is one of them according to all information available to us. So the BAA, in Signal’s case, appears unnecessary.

Note that what makes Signal a conduit also gives it the harder-to-implement Notes that we’ve written below. There’s a definite trade-off when a software package acts like a conduit under the Business Associate Rule.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

None

v2.1.12-beta

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss