For Healthcare companies, HIPAA compliance is a core regulatory requirement, but does this mean you can’t use web chat or video chat software? It depends!
We put together a HIPAA compliant chat checklist to help answer this question.
First, let’s be clear about what HIPAA compliance means in relation to patient contact.
In essence the Health Insurance Portability and Accountability Act is designed to protect the confidentiality of patients and ensure PHI (Protected Health Information) is treated with the highest sensitivity.
HIPAA at a high level mandates that organizations:
• Ensure the confidentiality, integrity, and availability of e-PHI created, received, maintained or transmitted
• Identify and protect against reasonably anticipated threats to the security or integrity of the information
• Protect against reasonably anticipated, impermissible uses or disclosures
• Ensure compliance by the workforce
Unfortunately, there are no crisply defined rules on achieving compliance for web chat. HIPAA specifies the outcomes, but not exactly how to achieve them.
This means that the onus is on you as an organization to do your own due diligence in coming up with a HIPAA compliant chat, set of systems and processes to safeguard your PHI.
If you are a CE (Covered Entity), then yes! CEs include, but are not limited to:
Now we have have the basics out of the way, let's dive into the checklist.
What must be in place to ensure a live web chat system is HIPAA compliant? Simply put - some chat systems are not HIPAA compliant, but some can be with configuration.
Here's a checklist of things to look for to see if a chat solution is HIPAA compliant (or not).
No matter which web chat system you might ultimately decide to use to meet your HIPAA compliant chat needs, you need to enter into a contract known as a BAA (Business Associate Agreement).
The BAA is a contract that states your supplier adheres to the same procedures, policies, and obligations to protect and secure your data. There is a good chance you might have multiple BAAs with various suppliers depending on what services those suppliers provide.
Most off-the-shelf chat systems will not include a BAA, so be sure to check with the chat vendor that they will be willing to spend a bit of time with you to ensure the BAA is in place.
HIPAA specifies that each employee at your organization should only see the “minimum necessary” information to do their job. This means your HIPPA compliant chat solution should have the ability to have separate permissions for different user roles. For example, agents should not be able to see chat transcripts from other agents. However, admins or "supervisors" may have a requirement to see all the chat transcripts.
Ideally, you should also have strong authentication controls to restrict access to the chat system. Solutions to this may include 2FA (2 or multi-factor authentication), IP whitelisting, SSO (Single Sign On), system-enforced password policies, or ideally a combination of all of these.
HIPAA requires that organizations ensure patient data is available, including data that might be contained in a chat transcript. This means you need a HIPAA compliant live chat that is stable with consistent uptime (look for a minimum 99.95% uptime SLA) and that backs up your data.
You should make sure to thoroughly understand the availability of the chat system, not only does this mean understanding the data centre provider (public, private, hybrid or on-premise) but also the resilience of the application, database and other components that make up a chat system.
Where possible, ask for a report on historical uptime and any instances of lost or compromised data - both of which are obviously big red flags.
A great benefit of having chat transcripts and PHI data in the cloud is that even in the event of a disaster at your physical location (assuming you were storing chat records there), and everything was destroyed, you could still retrieve your records.
Storing data in the cloud is not without potential HIPAA-related drawbacks of course. You should be clear about where your data is stored, and the more third party providers that have access to PHI, the more stringent you will need to be with maintaining BAAs and compliance adherence.
HIPAA mandates secure data, so you need a solution with strong encryption. A HIPPA compliant chat solution should encrypt all messages - both while in transit and at rest.
Be careful to check that live chat providers encrypt all data at rest on their servers, in addition to encryption in transit). Most chat solutions will visibly show to the end user if they are served over HTTPS or HTTP, but encryption at rest is something you will need to verify.
Data storage must have a “high level of physical security”. Data centers should have policies for reviewing controls and should regularly oversee risk assessment procedures. Most major cloud providers such as AWS, Azure and GCP meet HIPAA compliance guidelines, but you should be careful to check for other cloud providers and be very clear about the risks of on-premise deployments.
HIPAA requires that your patients’ PHI data will not leave the United States territory. This is a simple one but easy to overlook - make sure that you are using a chat system with US-based data centers!
A core requirement that HIPAA mandates is to keep an audit log of user actions in the chat service. You need to be able to track who accessed which chat, when they did, and what they did.
Your HIPAA compliant chat software should be capable of creating and recording an audit trail of all interactions containing ePHI. Any chat service that archives conversations and provides transcripts of all chats will probably meet this requirement.
Any messages that contain PHI should go to the intended recipient and the intended recipient only. If those communications end up in someone else’s hands that represents a HIPAA violation!
As most web chat is "inbound", you might think this is a straightforward one. Alas. Most chat systems will have a "chat transcript" option - this should be disabled for HIPAA compliance as it could send the entire chat transcript, inclusive PHI, to the wrong recipient with an accidentally mistyped email.
It's worth underscoring the fact that having a HIPAA compliant live chat does not necessarily make you HIPAA compliant, it can at best only support your organization in its ongoing efforts to achieve compliance and maximize data security.
Definitely not! SMS messages are not encrypted and therefore should not be used for sending or receiving PHI under any circumstances.
Video chat software, from a HIPAA compliance perspective, is actually very similar to live chat in terms of access, audit controls and encryption. WebRTC, a browser protocol that powers most video chat solutions, mandates encryption by default.
Assuming you have the same controls in place as mentioned for live chat, then video chat can definitely support a HIPAA compliant strategy.
Let's use the checklist above and go through each point to see if Talkative's live chat solution is HIPAA compliant.
Talkative will work with you to sign a Business Associate Agreement (BAA) and our legal team can accommodate any changes to our BAA that you may require.
Talkative can implement a number of agent access to control to ensure a HIPAA compliant chat service, such as:
Talkative leverages regional AWS data centers with a fully resilient server architecture. The system is imaged and backed up at regular intervals to ensure data integrity in the event of any potential downtime.
We provide you with an SLA with guaranteed uptime and can share historical uptime details with you. Single tenant deployments are also available, and admins are able to search logs and find and delete PHI where necessary.
While typically chat transcripts and interaction data is stored in the Talkative database in the cloud, you can configure a variable data retention policy, whereby data will be permanently and thoroughly purged from the Talkative system. In this instance, we typically integrate into your preferred CRM or on-premise database, where we send all the data, transcripts and PHI. The benefit of this is that no PHI resides on Talkative servers, limiting your exposure for having a third party (Talkative) storing PHI.
The Talkative solution encrypts all data in transit and at rest, and we use HIPAA-compliant data centers (in this case the USA, but other regions can be selected).
Encryption - TLS 1.2 or higher and HTTPS/WSS connections for data in transit and at rest.
We use AWS for hosting the Talkative solution. Any of the AWS infrastructure locations can be used for the Talkative solution.
Operational security includes creating business processes and policies that follow security best practices, in order to limit access to confidential information and maintain tight security.
As mentioned, Talkative uses US-based AWS data centers.
In line with a HIPAA compliant chat, the Talkative solution had a log of agent actions in chat conversations. We can audit the log to make sure that you meet this requirement.
By default, Talkative lets website visitors have the possibility to send the transcript of their conversation to any email address that they input. To make your chat HIPAA compliant, you should configure this option to be disabled. This is really easy to do, and if you do encounter any problems, we are always available to lend a helping hand.
Does the Talkative solution tick all of your HIPAA compliant chat needs? Book a demo today to see it in action and ask our experts any questions you have.
Get monthly insights from our experts straight to your inbox.