How to Ensure a HIPAA Compliant Chat: A FULL Checklist

September 21, 2020
Technical

For Healthcare companies, HIPAA compliance is a core regulatory requirement, but does this mean you can’t use web chat or video chat software? It depends!

We put together a  HIPAA compliant chat checklist to help answer this question.

Contents

  1. What is HIPAA Compliance?
  2. Do I need a HIPAA compliant chat solution?
  3. Is web chat HIPAA compliant? The FULL checklist
  4. Is video chat or SMS compliant?
  5. Is Talkative HIPAA compliant?

What is HIPAA compliance?

First, let’s be clear about what HIPAA compliance means in relation to patient contact.

In essence the Health Insurance Portability and Accountability Act is designed to protect the confidentiality of patients and ensure PHI (Protected Health Information) is treated with the highest sensitivity.

HIPAA at a high level mandates that organizations:

• Ensure the confidentiality, integrity, and availability of e-PHI created, received, maintained or transmitted

• Identify and protect against reasonably anticipated threats to the security or integrity of the information

• Protect against reasonably anticipated, impermissible uses or disclosures

• Ensure compliance by the workforce

Unfortunately, there are no crisply defined rules on achieving compliance for web chat. HIPAA specifies the outcomes, but not exactly how to achieve them.

This means that the onus is on you as an organization to do your own due diligence in coming up with a HIPAA compliant chat, set of systems and processes to safeguard your PHI.

Do I need a HIPAA compliant chat solution?

If you are a CE (Covered Entity), then yes! CEs include, but are not limited to:

  • Covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) that carry out transactions in electronic formats
  • Healthcare clearing houses
  • Health plan providers, including: insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit EPHI (Electronic Protected Health Information), to enroll employees or students in health plans.

Now we have have the basics out of the way, let's dive into the checklist.

Is live web chat HIPAA compliant? A handy checklist

HIPAA compliant lchat software

What must be in place to ensure a live web chat system is HIPAA compliant? Simply put - some chat systems are not HIPAA compliant, but some can be with configuration.

Here's a checklist of things to look for to see if a chat solution is HIPAA compliant (or not).

1. BAA contract

No matter which web chat system you might ultimately decide to use to meet your HIPAA compliant chat needs, you need to enter into a contract known as a BAA (Business Associate Agreement).

The BAA is a contract that states your supplier adheres to the same procedures, policies, and obligations to protect and secure your data. There is a good chance you might have multiple BAAs with various suppliers depending on what services those suppliers provide.

Most off-the-shelf chat systems will not include a BAA, so be sure to check with the chat vendor that they will be willing to spend a bit of time with you to ensure the BAA is in place.

2. Employee access controls

HIPAA specifies that each employee at your organization should only see the “minimum necessary” information to do their job. This means your HIPPA compliant chat solution should have the ability to have separate permissions for different user roles. For example, agents should not be able to see chat transcripts from other agents. However, admins or "supervisors" may have a requirement to see all the chat transcripts.

Ideally, you should also have strong authentication controls to restrict access to the chat system. Solutions to this may include 2FA (2 or multi-factor authentication), IP whitelisting, SSO (Single Sign On), system-enforced password policies, or ideally a combination of all of these.

3. Data availability

HIPAA requires that organizations ensure patient data is available, including data that might be contained in a chat transcript. This means you need a HIPAA compliant live chat that is stable with consistent uptime (look for a minimum 99.95% uptime SLA) and that backs up your data.

You should make sure to thoroughly understand the availability of the chat system, not only does this mean understanding the data centre provider (public, private, hybrid or on-premise) but also the resilience of the application, database and other components that make up a chat system.

Where possible, ask for a report on historical uptime and any instances of lost or compromised data - both of which are obviously big red flags.

A great benefit of having chat transcripts and PHI data in the cloud is that even in the event of a disaster at your physical location (assuming you were storing chat records there), and everything was destroyed, you could still retrieve your records.

Storing data in the cloud is not without potential HIPAA-related drawbacks of course. You should be clear about where your data is stored, and the more third party providers that have access to PHI, the more stringent you will need to be with maintaining BAAs and compliance adherence.

4. Data security & integrity controls

HIPAA mandates secure data, so you need a solution with strong encryption. A HIPPA compliant chat solution should encrypt all messages - both while in transit and at rest.

Be careful to check that live chat providers encrypt all data at rest on their servers, in addition to encryption in transit). Most chat solutions will visibly show to the end user if they are served over HTTPS or HTTP, but encryption at rest is something you will need to verify.

Data storage must have a “high level of physical security”. Data centers should have policies for reviewing controls and should regularly oversee risk assessment procedures. Most major cloud providers such as AWS, Azure and GCP meet HIPAA compliance guidelines, but you should be careful to check for other cloud providers and be very clear about the risks of on-premise deployments.

5. Data sovereignty

HIPAA requires that your patients’ PHI data will not leave the United States territory. This is a simple one but easy to overlook - make sure that you are using a chat system with US-based data centers!

6. Audit controls

A core requirement that HIPAA mandates is to keep an audit log of user actions in the chat service. You need to be able to track who accessed which chat, when they did, and what they did.

Your HIPAA compliant chat software should be capable of creating and recording an audit trail of all interactions containing ePHI. Any chat service that archives conversations and provides transcripts of all chats will probably meet this requirement.

7. Recipient authentication

Any messages that contain PHI should go to the intended recipient and the intended recipient only. If those communications end up in someone else’s hands that represents a HIPAA violation!

As most web chat is "inbound", you might think this is a straightforward one. Alas. Most chat systems will have a "chat transcript" option - this should be disabled for HIPAA compliance as it could send the entire chat transcript, inclusive PHI, to the wrong recipient with an accidentally mistyped email.

Remember:

It's worth underscoring the fact that having a HIPAA compliant live chat does not necessarily make you HIPAA compliant, it can at best only support your organization in its ongoing efforts to achieve compliance and maximize data security.

Is SMS HIPAA compliant?

Definitely not! SMS messages are not encrypted and therefore should not be used for sending or receiving PHI under any circumstances.

Is video chat compliant?

Video chat software, from a HIPAA compliance perspective, is actually very similar to live chat in terms of access, audit controls and encryption. WebRTC, a browser protocol that powers most video chat solutions, mandates encryption by default.

Assuming you have the same controls in place as mentioned for live chat, then video chat can definitely support a HIPAA compliant strategy.

Is Talkative HIPAA compliant?

Let's use the checklist above and go through each point to see if Talkative's live chat solution is HIPAA compliant.

1. BAA contract

Talkative will work with you to sign a Business Associate Agreement (BAA) and our legal team can accommodate any changes to our BAA that you may require.

2. Employee access controls

Talkative can implement a number of agent access to control to ensure a HIPAA compliant chat service, such as:

  • Users have roles/permissions to ensure they only see the minimum required info
  • Agents can only see interaction logs that they have interacted with
  • IP addresses can be whitelisted for additional security
  • SSO is available
  • Our password policy mandates general info sec best practices
  • Agents are automatically logged out after pre-defined time intervals

3. Data availability

Talkative leverages regional AWS data centers with a fully resilient server architecture. The system is imaged and backed up at regular intervals to ensure data integrity in the event of any potential downtime.

We  provide you with an SLA with guaranteed uptime and can share historical uptime details with you. Single tenant deployments are also available, and admins are able to search logs and find and delete PHI where necessary.

While typically chat transcripts and interaction data is stored in the Talkative database in the cloud, you can configure a variable data retention policy, whereby data will be permanently and thoroughly purged from the Talkative system. In this instance, we typically integrate into your preferred CRM or on-premise database, where we send all the data, transcripts and PHI. The benefit of this is that no PHI resides on Talkative servers, limiting your exposure for having a third party (Talkative) storing PHI.

4. Data security & integrity controls

The Talkative solution encrypts all data in transit and at rest, and we use HIPAA-compliant data centers (in this case the USA, but other regions can be selected).

Encryption - TLS 1.2 or higher and HTTPS/WSS connections for data in transit and at rest.

We use AWS for hosting the Talkative solution. Any of the AWS infrastructure locations can be used for the Talkative solution.

  • Physical Security includes locking down and logging all physical access to the data centre.
  • Data centre access is limited to only authorised personnel.
  • Badges and biometric scanning for controlled data centre access.
  • Security camera monitoring at all data centre locations.
  • Access and video surveillance log retention.
  • 24x7 onsite staff provides additional protection against unauthorised entry.
  • Unmarked facilities to help maintain low profile.
  • Physical security annually audited by independent firms.

Operational security includes creating business processes and policies that follow security best practices, in order to limit access to confidential information and maintain tight security.

  • ISO 27001/2 based policies, reviewed annually.
  • Documented infrastructure change management procedures.
  • Secure document and media destruction.
  • Incident management function.
  • Business continuity plan focused on availability of infrastructure.
  • Independent reviews performed by third parties.
  • Continuous monitoring and improvement of security program.

5. Data sovereignty

As mentioned, Talkative uses US-based AWS data centers.

6. Audit controls

In line with a HIPAA compliant chat, the Talkative solution had a log of agent actions in chat conversations. We can audit the log to make sure that you meet this requirement.

7. Recipient authentication

By default, Talkative lets website visitors have the possibility to send the transcript of their conversation to any email address that they input. To make your chat HIPAA compliant, you should configure this option to be disabled. This is really easy to do, and if you do encounter any problems, we are always available to lend a helping hand.

Does the Talkative solution tick all of your HIPAA compliant chat needs? Book a demo today to see it in action and ask our experts any questions you have.


Subscribe to the Talkative blog to never miss out on brand new content

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

We think you'll enjoy these too...

Omnichannel vs Multichannel: the Important Differences You Need to Know

Omnichannel vs multichannel: what’s the difference? Both involve the use of multiple channels to market a business and communicate with customers, but while one focuses on customer engagement, the other focuses on customer experience. Click here to discover the important differences between an omnichannel and multichannel strategy.

Read Story

How to Choose the Best Multilingual Live Chat

Looking for a multilingual live chat so you can support your international customers? Discover what features make a chat translator stand out and choose the best multilingual chat support for your customers.

Read Story

Press Release: Talkative partners with Formula 1®

Talkative have announced a long-term partnership with Formula 1® using customer contact technology to manage live chat interactions with over 500 million fans, improving support and user experience through Formula1.com and F1TV.

Read Story

Always in the loop.

Subscribe to updates and new posts from our blog
We will never share your email address with third parties.