Vital Stats
Relevant Product Characteristics
- This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.
What Is This Product?
Signal is a free and open source texting app that works on iPhones and Android phones, and is highly private. It is intended to be private enough to prevent anyone but the people involved in a conversation from being able to read any messages in that conversation.
We made this review public because Signal is a service to the public. Although it is created by a company, Open Whisper Systems, the purpose of Signal is to be of public value. It is funded by numerous private and non-profit donors, and it is endorsed by security luminaries such as Edward Snowden and Bruce Schneier.
This is all great, and we strongly endorse the use of Signal. That’s not just because it’s secure, but also because it’s easy to use and is likely to be a very effective “gateway” for therapists and clients to start taking secure communications more seriously. Once again, we strongly encourage therapists to consider the costs and benefits of using Signal in their practices if for no other reason than the fact that it is likely to be a convincing way to get clients to use a truly secure option when they text with their therapist.
That said, Signal is easy to use for secure communications. However, its highly private nature makes it harder to document the messages you exchange using it. Please read the notes below quite carefully, and ensure you have a set of procedures in place for using Signal properly before you introduce it into your practice. Consider that if maintaining the procedures you need to use Signal and be HIPAA compliant are outside your capabilities, there are paid options out there for secure texting that provide more support for your HIPAA-and-ethics-related documentation needs. See our article on documenting texts and emails for some guidance.
Wait. They don’t do a Business Associate Agreement.
Our careful analysis of the way Signal handles PHI leads us to believe that they qualify as a conduit under the HIPAA Business Associate Rule. Very few software packages can claim that distinction, but Signal is one of them according to all information available to us. So the BAA, in Signal’s case, appears unnecessary.
Note that what makes Signal a conduit also gives it the harder-to-implement Notes that we’ve written below. There’s a definite trade-off when a software package acts like a conduit under the Business Associate Rule.
Caveats
Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.
None
Notes
Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.
None