How to Ensure a HIPAA Compliant Chat: A FULL Checklist

November 21, 2022
Time:
7
mins
Customer using HIPAA compliant live chat

All healthcare providers have a legal duty to protect patient data. And to do this, they must comply with HIPAA regulations. 

This includes only using contact channels that are HIPPA compliant when sending protected health information (PHI).

But does this mean you can’t use web chat or video chat software?

We've put together the ultimate HIPAA compliant chat checklist to help answer this question. We'll cover:

  • What is HIPAA compliance?
  • Is live chat HIPAA compliant?
  • Is SMS HIPAA compliant?
  • Is Talkative HIPAA compliant?
digital customer experience

What is HIPAA compliance?

First, let’s be clear about what HIPAA compliance means in relation to patient contact.

In essence the Health Insurance Portability and Accountability Act is designed to protect the confidentiality of patients and ensure PHI (Protected Health Information) is treated with the highest sensitivity.

HIPAA at a high level mandates that organizations:

• Ensure the confidentiality, integrity, and availability of e-PHI created, received, maintained or transmitted

• Identify and protect against reasonably anticipated threats to the security or integrity of the information

• Protect against reasonably anticipated, impermissible uses or disclosures

• Ensure compliance by the workforce

Unfortunately, there are no crisply defined rules on achieving compliance for web chat.

HIPAA specifies the outcomes, but not exactly how to achieve them.

This means that the onus is on you as an organization to do your own due diligence in implementing a HIPAA compliant chat and safeguarding your PHI.

Do I need a HIPAA compliant chat solution

If you are a CE (Covered Entity), then yes you do need a HIPAA compliant chat solution.

CEs include, but are not limited to:

  • Covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) that carry out transactions in electronic formats
  • Healthcare clearing houses
  • Health plan providers, including: insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit EPHI (Electronic Protected Health Information), to enrol employees or students in health plans.

Now we have have the basics out of the way, let's dive into the checklist.

contact center agent using live chat

Is live web chat HIPAA compliant?

What must be in place to ensure a live web chat system is HIPAA compliant?

Simply put - some chat systems are not HIPAA compliant, but some can be with configuration.

Here's a checklist of things to look for to see if a chat solution is HIPAA compliant (or not).

1. BAA contract

No matter what live chat you decide to use, you need to enter into a contract known as a BAA (Business Associate Agreement).

Without this, it won't meet HIPAA regulations.

The BAA is a contract that states your supplier adheres to the same procedures, policies, and obligations to protect and secure your data.

There is a good chance you might have multiple BAAs with various suppliers depending on what services those suppliers provide.

Many chat systems will not include a BAA, so be sure to check with the provider that they'll be willing to help you to ensure the BAA is in place.

Additionally, reviewing the contract with AI can help streamline this process.

2. Employee access controls

HIPAA specifies that each employee at your organization should only see the “minimum necessary” information to do their job.

This means your HIPPA compliant chat solution should have the ability to have separate permissions for different user roles.

For example, agents should not be able to see chat transcripts from other agents. However, admins or "supervisors" may have a requirement to see all the chat transcripts.

Ideally, you should also have strong authentication controls to restrict access to the chat system.

Solutions to this may include 2FA (2 or multi-factor authentication), IP whitelisting, SSO (Single Sign On), system-enforced password policies, or ideally a combination of all of these.

contact center agent performance

3. Data availability

HIPAA requires that organizations ensure patient data is available, including data that might be contained in a chat transcript.

This means you need a HIPAA compliant live chat that is stable with consistent uptime (look for a minimum 99.95% uptime SLA) and that backs up your data.

You should make sure to thoroughly understand the availability of the chat system.

Not only does this mean finding a sustainable data center provider (public, private, hybrid or on-premise) but also understanding the resilience of the application, database, and other components that make up a chat system.

Where possible, ask for a report on historical uptime and any instances of lost or compromised data - both of which are obviously big red flags.

A great benefit of having chat transcripts and PHI data in the cloud is that even in the event of a disaster at your physical location, and everything was destroyed, you could still retrieve your records.

Storing data in the cloud is not without potential HIPAA-related drawbacks of course.

You should be clear about where your data is stored, and the more third party providers that have access to PHI, the more stringent you will need to be with maintaining BAAs and compliance adherence.

4. Data security & integrity controls

HIPAA mandates secure data, so you need a solution with strong encryption.

A HIPPA compliant chat solution should encrypt all messages - both while in transit and at rest.

Be careful to check that live chat providers encrypt all data at rest on their servers, in addition to encryption in transit).

Most chat solutions will visibly show to the end user if they are served over HTTPS or HTTP, but encryption at rest is something you will need to verify.

Data storage must have a “high level of physical security”.

Data centers should have policies for reviewing controls and should regularly oversee risk assessment procedures.

Most major cloud providers such as AWS, Azure and GCP meet HIPAA compliance guidelines, but you should be careful to check for other cloud providers and be very clear about the risks of on-premise deployments.

customer hand and AI hand

5. Data sovereignty

HIPAA requires that your patients’ PHI data will not leave the United States territory.

This is a simple one but easy to overlook - make sure that you are using a chat system with US-based data centers.

6. Audit controls

A core requirement that HIPAA mandates is to keep an audit log of user actions in the chat service.

You need to be able to track who accessed which chat, when they did, and what they did.

Your HIPAA compliant chat software should be capable of creating and recording an audit trail of all interactions containing ePHI.

Any chat service that archives conversations and provides transcripts of all chats will probably meet this requirement.

7. Recipient authentication

Any messages that contain PHI should go to the intended recipient and the intended recipient only.

If those communications end up in someone else’s hands that represents a HIPAA violation.

As most web chat is "inbound", you might think this is a straightforward one. Alas.

Most chat systems will have a "chat transcript" option - this should be disabled for HIPAA compliance as it could send the entire chat transcript, inclusive PHI, to the wrong recipient with an accidentally mistyped email.

It's also worth underscoring the fact that having a HIPAA compliant live chat does not necessarily make you HIPAA compliant.

It can at best only support your organization in its ongoing efforts to achieve compliance and maximize data security.

interaction tips wand

Is SMS HIPAA compliant?

The answer here is simple - no, SMS is not HIPAA compliant.

SMS messages are not encrypted and therefore should not be used for sending or receiving PHI under any circumstances.

social messaging channels

Is video chat compliant?

Video chat software, from a HIPAA compliance perspective, is actually very similar to live chat in terms of access, audit controls and encryption.

WebRTC, a browser protocol that powers most video chat solutions, mandates encryption by default.

Assuming you have the same controls in place as mentioned for live chat, then video chat can definitely support a HIPAA compliant strategy.

customer video chat with contact center agent

Is Talkative HIPAA compliant?

Let's use the checklist above and go through each point to see if Talkative's live chat solution is HIPAA compliant.

1. BAA contract

Talkative will work with you to sign a Business Associate Agreement (BAA).

Our legal team can accommodate any changes to our BAA that you may require.

2. Employee access controls

Talkative can implement a number of agent access to control to ensure a HIPAA compliant chat service, such as:

  • Users have roles/permissions to ensure they only see the minimum required info
  • Agents can only see interaction logs that they have interacted with
  • IP addresses can be whitelisted for additional security
  • SSO is available
  • Our password policy mandates general info sec best practices
  • Agents are automatically logged out after pre-defined time intervals

3. Data availability

Talkative leverages regional AWS data centers with a fully resilient server architecture. 

The system is imaged and backed up at regular intervals to ensure data integrity in the event of any potential downtime.

We  provide you with an SLA with guaranteed uptime and can share historical uptime details with you.

Single tenant deployments are also available, and admins are able to search logs and find and delete PHI where necessary.

While typically chat transcripts and interaction data is stored in the Talkative database in the cloud, you can configure a variable data retention policy, whereby data will be permanently and thoroughly purged from the Talkative system.

In this instance, we typically integrate into your preferred CRM or on-premise database, where we send all the data, transcripts and PHI.

The benefit of this is that no PHI resides on Talkative servers, limiting your exposure for having a third party (Talkative) storing PHI.

4. Data security & integrity controls

The Talkative solution encrypts all data in transit and at rest.

We also use HIPAA-compliant data centers (in this case the USA, but other regions can be selected).

Encryption - TLS 1.2 or higher and HTTPS/WSS connections for data in transit and at rest.

We use AWS for hosting the Talkative solution. Any of the AWS infrastructure locations can be used for the Talkative solution.

  • Physical Security includes locking down and logging all physical access to the data centre.
  • Data centre access is limited to only authorised personnel.
  • Badges and biometric scanning for controlled data centre access.
  • Security camera monitoring at all data centre locations.
  • Access and video surveillance log retention.
  • 24x7 onsite staff provides additional protection against unauthorised entry.
  • Unmarked facilities to help maintain low profile.
  • Physical security annually audited by independent firms.

Operational security includes creating business processes and policies that follow security best practices, in order to limit access to confidential information and maintain tight security.

  • ISO 27001/2 based policies, reviewed annually.
  • Documented infrastructure change management procedures.
  • Secure document and media destruction.
  • Incident management function.
  • Business continuity plan focused on availability of infrastructure.
  • Independent reviews performed by third parties.
  • Continuous monitoring and improvement of security program.

5. Data sovereignty

As mentioned above, Talkative uses US-based AWS data centers.

6. Audit controls

In line with a HIPAA compliant chat, the Talkative solution has a log of agent actions in chat conversations.

We can audit the log to make sure that you meet this requirement.

7. Recipient authentication

By default, Talkative lets website visitors have the possibility to send the transcript of their conversation to any email address that they input.

To make your chat HIPAA compliant, you should configure this option to be disabled.

This is really easy to do, and if you do encounter any problems, we are always available to lend a helping hand.

Talkative logo

The takeaway

It's clear that there's a lot to consider when it comes to ensuring your chat solution is HIPAA compliant.

Luckily, if you’re looking for chat software that can meet your HIPAA compliant needs, we’ve got you covered.

In addition to live chat, our platform provides a suite of real-time customer contact channels, plus deep integrations into systems like Salesforce and Mitel.

Want to learn more?

Book a demo with us today to experience our real-time customer engagement solution in action and ask our experts any questions you have.

Ready for the future of customer service?

Download The 2024 Inner Circle Guide to Chatbots & Conversational AI

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.