Is Signal HIPAA Compliant? No — And Encryption Isn't the Reason

The short answer

Signal is not HIPAA compliant. The answer is the same regardless of how your practice configures the app or which plan you use — Signal offers no Business Associate Agreement and no HIPAA-specific provisions.

The confusion here is understandable. Signal has excellent security. Its end-to-end encryption is well-regarded, and the Signal Protocol is used by other major messaging apps. Many clinicians assume that strong encryption equals HIPAA compliance. That assumption is wrong, and the gap matters.

Why encryption alone isn’t enough

HIPAA compliance requires four categories of safeguards, not one.

Technical safeguards cover encryption and access controls. Signal handles the encryption piece. It does not handle access controls — there’s no way to restrict who in a practice can view a Signal thread, log which staff members accessed which conversations, or revoke access when an employee leaves.

Administrative safeguards require documented policies, training, and a signed BAA with every vendor that handles PHI. Signal doesn’t sign BAAs.

Physical safeguards govern where data is stored and who can physically access it. Signal stores messages on device — which could be a personal phone without a device management policy — and has no healthcare-specific controls over physical access.

Organizational safeguards require the BAA and compliance agreements. Back to the same problem.

A practice using Signal for patient communications has a gap in all four categories simultaneously, despite Signal’s strong technical encryption.

The disappearing messages problem

Signal’s disappearing messages feature, which automatically deletes message threads after a user-configured period, creates a specific HIPAA problem beyond the BAA issue.

HIPAA requires covered entities to retain certain records for a minimum of six years. Communications about patient care — care coordination messages, treatment-related instructions passed through a messaging app, documentation of clinical decisions — may constitute records subject to this requirement.

Using disappearing messages for any patient-related communication destroys records your practice is legally obligated to keep. This is a records retention violation on top of the BAA violation.

The FTC and OCR position on consumer messaging apps

The FTC and the HHS Office for Civil Rights have both issued guidance warning covered entities against using consumer messaging apps for PHI. The warning applies to Signal, WhatsApp, standard iMessage (without additional MDM controls), and similar consumer platforms.

The enforcement history supports taking this seriously. Small practices have faced OCR investigations and civil monetary penalties for staff using consumer apps for patient communications. The OCR’s Right of Access enforcement actions show the agency is willing to act on complaints from patients and audits of small practices, not just large health systems.

What to use instead

Three purpose-built clinical messaging platforms cover the Signal use case within HIPAA-compliant infrastructure:

TigerConnect is widely used in hospital systems but has plans for smaller practices. It provides secure messaging, audit trails, and BAA coverage across voice, text, and image sharing.

Klara handles patient-facing messaging specifically — secure messaging between practice and patient, with BAA coverage and records retention built in.

Spruce Health covers both staff-to-staff and patient-facing communication, with HIPAA compliance and a BAA included.

The coordination gap beyond messaging

Secure messaging handles communications. Practices also need a compliant place for the work that follows those communications.

When a patient message generates a task — a follow-up call, a referral to schedule, a prescription to process — that task references patient context. It can’t live in a general task tool without HIPAA coverage, and it doesn’t belong in a messaging thread that might disappear.

We built PHIGuard to handle this coordination layer: HIPAA-compliant task management for small practices at $20/month flat for up to 10 staff. A BAA is included at every tier, no per-user fees. Staff can track patient-related work without creating compliance gaps in tools that were never designed for healthcare.

Like what you're reading?

Try PHIGuard free — no credit card required.

End-to-end encryption (E2EE): A communication method where only the sender and recipient can read messages. Signal uses E2EE for all messages. While E2EE is a strong privacy protection, it is a technical safeguard only — HIPAA also requires contractual, administrative, and organizational safeguards that E2EE does not provide.

Business Associate Agreement (BAA): A required HIPAA contract between a covered entity (your practice) and any vendor handling protected health information. Signal does not offer a BAA under any circumstances, which means PHI cannot legally be transmitted through Signal.

Audit trail: A record of who accessed, modified, or transmitted protected health information, and when. HIPAA requires covered entities and their business associates to maintain audit trails. Signal maintains no such logs for healthcare customers.

Records retention: HIPAA requires covered entities to retain certain records for a minimum of 6 years. Signal's disappearing messages feature, when enabled, destroys messages that may constitute required records.

Q&A

Is Signal HIPAA compliant?

No. Signal does not provide a BAA, maintains no audit logs, has no healthcare-specific access controls, and its disappearing messages feature conflicts with HIPAA's 6-year records retention requirement. Signal is not appropriate for any communication involving protected health information.

Q&A

Why isn't Signal's encryption enough for HIPAA compliance?

HIPAA compliance requires more than encryption. It requires a signed BAA, audit trails, access controls, breach notification procedures, and minimum-necessary-use enforcement. Signal provides none of these for healthcare organizations. Encryption covers one of many required safeguards.

Q&A

What compliant tools should a practice use for clinical messaging?

TigerConnect, Klara, and Spruce Health are purpose-built secure clinical messaging platforms that sign BAAs and meet HIPAA's technical and administrative requirements. Each supports mobile messaging like Signal does, within a framework designed for healthcare.

Want to learn more?

Learn More

Is Signal HIPAA compliant?

No. Signal does not provide a Business Associate Agreement and does not offer HIPAA-compliant messaging. Despite its strong encryption, Signal lacks the audit logs, access controls, breach notification procedures, and records retention capabilities that HIPAA requires from any vendor handling protected health information.

Doesn't end-to-end encryption make Signal HIPAA safe?

No. Encryption is one technical safeguard under HIPAA, not a substitute for full compliance. HIPAA also requires a signed BAA, audit trails of who accessed PHI and when, access controls, breach notification procedures, and minimum-necessary-use enforcement. Signal provides none of these for healthcare organizations.

Why does Signal's disappearing messages feature conflict with HIPAA?

HIPAA requires covered entities to retain certain records for a minimum of 6 years. Signal's disappearing messages feature automatically deletes message threads after a set period. Using disappearing messages for any communication involving PHI would destroy records that HIPAA requires your practice to keep, creating a retention violation on top of the BAA violation.

What are HIPAA-compliant alternatives to Signal for clinical messaging?

Purpose-built secure clinical messaging tools include TigerConnect, Klara, and Spruce Health. All three are designed for healthcare, sign BAAs, maintain audit logs, and meet HIPAA's technical and administrative safeguard requirements. They work on mobile devices like Signal does, but within a compliant framework.

Can I use Signal for non-patient staff communications?

Signal can be used for staff communications that involve no protected health information — general scheduling, non-patient topics, personal messages. The risk is that staff who use Signal for general communication will apply it to patient-related coordination out of habit. A clear policy separating PHI from non-PHI communication tools is necessary.

Keep reading

5 HIPAA Compliant Messaging Apps for Medical Practices (2026)

WhatsApp and standard SMS are not HIPAA compliant. These five apps sign a BAA and encrypt messages at rest and in transit — compared by price, features, and practice size fit.

Is WhatsApp HIPAA Compliant?

WhatsApp does not offer a HIPAA BAA and cannot be made compliant. Learn why encryption alone is not enough and what compliant alternatives exist for small clinics.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

10 HIPAA Violation Examples Small Practices Actually Encounter

Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.