HIPAA Meets iMessage (Beyond Finance Series, #1)

HIPAA Meets iMessage (Beyond Finance Series, #1) Explore how healthcare is adapting HIPAA’s 1996 rules to today’s off-channel messaging, from iMessage to WhatsApp, and what compliance teams need to know. Apr 09, 2026 Apr 09, 2026 Jeremiah Church is a compliance nerd with over 20 years in Fintech and Compliance Software who believes complex problems should have simple fixes — and builds tech to make that happen. Jeremiah hipaa-meets-imessage

An Apple iMessage a day keeps the Doctor in Play

Last week, I received a kind “how is your hand?” text from my Doctor after a very dumb “I don’t need to ask for help to lower this piece of equipment when I can slide it down a ladder” moment, which was then followed by a very loud crash. That text was a perfectly human moment, and a perfect compliance headache if the text wasn’t properly secured and archived per the HIPAA Security Rule.

That perfectly human moment illustrates our new blog series theme: strict oversight isn’t unique to Wall Street. Although we cut our teeth in Finance, we’re kicking off a series to look at other highly regulated industries, starting communication-regulation within the healthcare industry.

HIPAA Wasn’t Built for iMessage

The Health Insurance Portability and Accountability Act (HIPAA) was written and put into law in 1996. We all have colleagues born after that, and iMessage was just a twinkle in Apple’s eye that launched in 2011.

Not everyone is an investor, but patients are certainly investing in their own health. If you think your doctors aren’t using sms/mms to contact their patients, I can assure you they are.

A stray message with protected health information (PHI) can lead to data leaks that hurt real people and trigger fines and reputational damage. (Sound familiar? It’s the same in the Finance industry with different regulatory bodies.)

Whether it’s a surgeon texting test results or a billing rep replying via LinkedIn, these off-channel messages often fall outside the audit trail. And when PHI (Protected Health Information) is involved, HIPAA expects it to be secure, archived, and reviewable. Think about your recent therapy session - was it face-to-face or online via a screen? If it were online, I bet you want that information stored securely.\

Why HIPAA Matters, and Who It Protects

HIPAA isn’t just a box-checking exercise. Without it, patients are put at risk, the very people that the healthcare industry is serving.

“The trust was just gone. I was like how could this happen? You go to a doctor and you open up and you think that you can trust them. That’s like the one person you’re taught to trust.”

In one 2019 incident, a medical assistant accessed a patient’s records and posted them online. These are the kinds of violations HIPAA is designed to prevent.

At its core, HIPAA was designed to:

Secure patient privacy. Patients trust providers with their sensitive info. When that trust is broken, the impact is personal and debilitating.
Align stakeholder interests. When PHI is handled consistently, everyone wins. Clinicians avoid frantic after-the-fact audits, compliance teams face fewer surprises during audits, and leadership strengthens its reputation with patients and investors. A TransUnion survey found that 65% of patients would steer clear of any provider that suffered a data breach, and the average cost of a single healthcare breach now tops $15 million. Keeping PHI locked down pays dividends in trust and financially pays off.

HIPAA can add extra steps, and yes, it sometimes feels like slowing down, but those safeguards are what keep you and your patients protected. The best compliance layers are invisible. They don’t slow down conversations: they secure them in the background.

Where Off-Channel Comms Get Risky

Off-channel messaging isn’t just a nuisance—it’s a serious compliance liability in healthcare. Let’s look at a few real-world examples from hospitals and clinics where communication shortcuts created privacy gaps and regulatory risks:

1. Image-heavy chats.

A nurse texts a photo of a post-op wound to a surgeon. Great for collaboration, terrible if there’s no audit trail. Well-intended images can expose Protected Health Information (PHI) when sent via unsecured tools.

HIPAA Photography Rules: Updated for 2025
A deep dive into how clinical photos must follow strict consent, encryption, and audit-trail requirements. (via HIPAA Journal)

2. Social Media Breaches

Healthcare staff have been caught sharing patient or resident images on personal social platforms, often without realizing the legal implications. These actions aren’t just inappropriate—they’re blatant HIPAA violations.

Inappropriate Social Media Posts by Nursing Home Workers
A catalog of 65 real incidents highlighting how even casual social posts can breach patient privacy. (via ProPublica)

3. Ad hoc scheduling and Field Incident Reporting.

An OR scheduling team quickly reshuffles surgery times via a private Slack channel, rather than logging updates in the official calendar. It’s fast, but if PHI is involved, and the platform isn’t secured or logged, it becomes a compliance landmine.

How health-care teams can maintain HIPAA compliance within Slack
Slack’s own blog outlining common use cases (including informal scheduling and procedure coordination), plus the guardrails you need.

Some of these are casual conversations, but they’re business-critical messages that must be captured, supervised, and retained under HIPAA. When they slip through the cracks, patients and providers alike pay the price.

****

Business Associate Agreements: The Missing Compliance Link

A Business Associate Agreement (BAA) is the HIPAA-required contract that binds any vendor touching PHI to your rules. If your chat-capture proxy or messaging vendor won’t sign a BAA, those off-channel conversations instantly become un-auditable breaches.

It’s also where many teams fall short, especially when consumer-grade apps like iMessage, WhatsApp, and WeChat enter the mix. These platforms aren’t HIPAA-compliant and few (if any) will sign a BAA with your organization.

Quick BAA Checklist

Inventory every comms vendor: iMessage, WhatsApp, your EMR’s chat module, etc.
Confirm signed BAAs: no BAA, no PHI allowed.
Automate renewals and audit rights: Use contract-lifecycle tools to trigger alerts when BAAs expire.
Dev-team gating: require a signed BAA before issuing API keys or enabling any PHI workflows.

Global Use Cases: Lessons in Adoption

Unlike many international health systems that lean on WhatsApp for quick clinical updates, U.S. healthcare has largely steered clear. Consumer apps aren’t HIPAA-approved out of the box. Early proxy solutions like Telemessage demonstrated the concept, but fell short on end-to-end audit fidelity. (We all know about the TeleMessage debacle at his point.)

Let’s look at three use cases that highlight both the promise and the pitfalls of messaging apps in healthcare.

**1. Widespread Clinical Use**A 2021 review of 346 studies across Europe, Africa, Asia, and Latin America found that clinicians routinely used WhatsApp to share patient updates, images, and reports - often with no formal guidance on security or record-keeping. That “just works” convenience came at the cost of auditability and patient privacy.

**2. Medical Education & Collaboration**From Dublin to New Delhi, teaching hospitals have set up WhatsApp groups for case discussions, quizzes, and scheduling. These virtual classrooms drive engagement and peer support, but when those chats contain PHI, they introduce compliance blind spots.

**3. Orthopaedic Teams in Dublin**Over six months, two Dublin hospitals trialed WhatsApp for daily patient rounds, wound-photo sharing, and on-call handoffs. Efficiency soared, but so did the risk: without a structured archiving process, critical clinical decisions lived in disappearing threads rather than permanent records.

Each of these examples shows how messaging tools can plug workflow gaps but also why “informal” channels demand formal oversight.

What U.S. Healthcare Can Learn

U.S. healthcare organizations face the same communication realities as their global counterparts. Messaging tools like WhatsApp and WeChat have become go-to solutions for clinicians worldwide, used for everything from wound updates to surgical shift handoffs.

While Comma doesn’t support healthcare compliance directly, we believe it’s essential to understand how off-channel messaging poses challenges across all regulated industries.

The lesson? Even effective and convenient communication tools can create compliance risks when left unsupervised.

Next up:

Off-channel messaging in healthcare isn’t going away. It’s how people communicate - clinicians included. The key is balancing speed with security.

We’ll continue exploring communication risks in other highly regulated industries in this series.

Next up: Energy.

Jeremiah Church is a compliance nerd with over 20 years in Fintech and Compliance Software who believes complex problems should have simple fixes — and builds tech to make that happen.