Signal is not HIPAA compliant and cannot be used to send, receive, or store protected health information (PHI) in a healthcare setting. Despite its strong encryption, Signal lacks several administrative and organizational features that HIPAA’s Security Rule requires, and the company does not sign Business Associate Agreements with covered entities.
Why Strong Encryption Isn’t Enough
Signal’s end-to-end encryption is genuinely excellent. Messages are encrypted on your device and can only be decrypted by the recipient, meaning Signal itself cannot read your conversations. That checks one important box under HIPAA’s technical safeguard requirements. But encryption is only one piece of what HIPAA demands.
HIPAA compliance involves three categories of safeguards: technical, administrative, and physical. Signal handles the technical encryption well but falls short on nearly everything else. The platform was designed for individual privacy, not for organizational oversight of sensitive health data. Those are fundamentally different goals.
What Signal Is Missing
Signal accounts are set up per user, with no option for organizations to manage a shared platform. This creates a cascade of compliance gaps. There are no centralized administrative controls to manage user accounts, track activity, or remove someone’s access when they leave the organization. That last point matters because HIPAA’s Security Rule specifically requires covered entities to terminate access for departing workforce members.
Other missing capabilities include:
- Audit logs: Signal doesn’t track who sent what to whom or when. HIPAA requires the ability to monitor access to PHI.
- Automatic logoff: No timeout feature to lock sessions after inactivity.
- Centralized backup: All messages are stored locally on each user’s device, with no organizational backup or archiving.
- Remote data deletion: If a phone is lost or stolen, there’s no way for an administrator to remotely wipe Signal data from that device.
These aren’t minor technicalities. They represent core requirements under the Security Rule that any platform handling PHI needs to support.
Signal Won’t Sign a Business Associate Agreement
Under HIPAA, any third-party service that handles PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). This contract establishes the vendor’s legal responsibility to protect that data. Signal does not enter into BAAs with healthcare organizations. Without a BAA in place, using Signal to transmit PHI puts the covered entity in direct violation of HIPAA, regardless of how secure the underlying encryption is.
This isn’t an oversight on Signal’s part. The platform simply wasn’t built for this use case. Signal’s own privacy policy emphasizes that it’s “designed to never collect or store any sensitive information,” which sounds protective but also means the company has no infrastructure to support the accountability framework HIPAA requires.
Risks Beyond the HIPAA Violation
Even setting HIPAA aside, using consumer messaging apps for patient communication introduces practical risks that healthcare providers should take seriously. Text messages sent through personal devices often don’t get incorporated into the patient’s medical record, creating gaps in documentation. Those gaps can disrupt continuity of care and create serious problems during malpractice litigation.
Messages exchanged between healthcare team members or with patients can be used as evidence in lawsuits. Many people assume that deleting a text removes it permanently, but the data often continues to exist in locations that plaintiffs can access through legal discovery. Text messages about patient care are considered part of the medical record regardless of where they’re stored, and they should be composed with the same professionalism as any clinical note.
There’s also the issue of precision. Text messages tend to be brief and informal, which can lead to miscommunication when clinical situations call for detail. Auto-correction and abbreviations introduce another layer of risk for inaccuracies in care instructions.
What to Use Instead
Several messaging platforms are specifically built for healthcare environments and designed to meet HIPAA’s requirements. These platforms encrypt messages in transit and at rest, provide administrative controls for managing users, generate audit logs, support remote wiping, and integrate with electronic health records. Their vendors sign BAAs.
Purpose-built healthcare messaging platforms include TigerConnect (formerly TigerText), Imprivata Cortext, PerfectServe, Spok Care Connect, and Vocera. Many major electronic health record systems like Epic and Cerner also have built-in secure messaging features that meet HIPAA requirements. These tools encrypt both the data and the transport layer, minimizing the risk of unauthorized access or disclosure.
When evaluating any platform, confirm that the vendor will sign a BAA, that messages are encrypted end to end, that administrators can control user access, and that the system produces audit trails. If a vendor can’t clearly demonstrate all four, it’s not ready for PHI.
The Phone Number Problem
Signal recently introduced usernames so people can connect without sharing phone numbers, and users can now hide their number from most contacts. But phone numbers still serve as the underlying account identifier. In a healthcare context, a patient’s phone number linked to a conversation about their health could itself constitute PHI. Signal’s privacy improvements help with general privacy, but they don’t resolve the compliance gaps around access controls, audit trails, and organizational management that HIPAA demands.
The bottom line is straightforward: Signal is a strong privacy tool for personal use, but privacy and HIPAA compliance are not the same thing. HIPAA requires organizational accountability, and Signal is built for individual autonomy. Those two design philosophies don’t overlap enough to make it work for healthcare.