How to Ensure a HIPAA Compliant Chat: A FULL Checklist
For Healthcare companies, HIPAA compliance is a core regulatory requirement, but does this mean you can’t use web chat or video chat software? It depends! We put together a HIPAA compliant chat checklist to help answer this question.
What is HIPAA compliance?
First, let’s be clear about what HIPAA compliance means in relation to patient contact.
In essence the Health Insurance Portability and Accountability Act is designed to protect the confidentiality of patients and ensure PHI (Protected Health Information) is treated with the highest sensitivity.
HIPAA at a high level mandates that organizations:
• Ensure the confidentiality, integrity, and availability of e-PHI created, received, maintained or transmitted
• Identify and protect against reasonably anticipated threats to the security or integrity of the information
• Protect against reasonably anticipated, impermissible uses or disclosures
• Ensure compliance by the workforce
Unfortunately, there are no crisply defined rules on achieving compliance for web chat. HIPAA specifies the outcomes, but not exactly how to achieve them.
This means that the onus is on you as an organization to do your own due diligence in coming up with a HIPAA compliant chat, set of systems and processes to safeguard your PHI.
Do I need a HIPAA compliant chat solution?
If you are a CE (Covered Entity), then yes! CEs include, but are not limited to:
- Covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) that carry out transactions in electronic formats
- Healthcare clearing houses
- Health plan providers, including: insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit EPHI (Electronic Protected Health Information), to enroll employees or students in health plans.
Now we have have the basics out of the way, let’s dive into the checklist.
Is live web chat HIPAA compliant? A handy checklist
What must be in place to ensure a live web chat system is HIPAA compliant? Simply put – some chat systems are not HIPAA compliant, but some can be with configuration.
Here’s a checklist of things to look for to see if a chat solution is HIPAA compliant (or not).
1. BAA contract
No matter which web chat system you might ultimately decide to use to meet your HIPAA compliant chat needs, you need to enter into a contract known as a BAA (Business Associate Agreement).
The BAA is a contract that states your supplier adheres to the same procedures, policies, and obligations to protect and secure your data. There is a good chance you might have multiple BAAs with various suppliers depending on what services those suppliers provide.
Most off-the-shelf chat systems will not include a BAA, so be sure to check with the chat vendor that they will be willing to spend a bit of time with you to ensure the BAA is in place.
2. Employee access controls
HIPAA specifies that each employee at your organization should only see the “minimum necessary” information to do their job. This means your HIPPA compliant chat solution should have the ability to have separate permissions for different user roles. For example, agents should not be able to see chat transcripts from other agents. However, admins or “supervisors” may have a requirement to see all the chat transcripts.
Ideally, you should also have strong authentication controls to restrict access to the chat system. Solutions to this may include 2FA (2 or multi-factor authentication), IP whitelisting, SSO (Single Sign On), system-enforced password policies, or ideally a combination of all of these.
3. Data availability
HIPAA requires that organizations ensure patient data is available, including data that might be contained in a chat transcript. This means you need a HIPAA compliant live chat that is stable with consistent uptime (look for a minimum 99.95% uptime SLA) and that backs up your data.
You should make sure to thoroughly understand the availability of the chat system, not only does this mean understanding the data centre provider (public, private, hybrid or on-premise) but also the resilience of the application, database and other components that make up a chat system.
Where possible, ask for a report on historical uptime and any instances of lost or compromised data – both of which are obviously big red flags.
A great benefit of having chat transcripts and PHI data in the cloud is that even in the event of a disaster at your physical location (assuming you were storing chat records there), and everything was destroyed, you could still retrieve your records.
Storing data in the cloud is not without potential HIPAA-related drawbacks of course. You should be clear about where your data is stored, and the more third party providers that have access to PHI, the more stringent you will need to be with maintaining BAAs and compliance adherence.
4. Data security & integrity controls
HIPAA mandates secure data, so you need a solution with strong encryption. A HIPPA compliant chat solution should encrypt all messages – both while in transit and at rest.
Be careful to check that live chat providers encrypt all data at rest on their servers, in addition to encryption in transit). Most chat solutions will visibly show to the end user if they are served over HTTPS or HTTP, but encryption at rest is something you will need to verify.
Data storage must have a “high level of physical security”. Data centers should have policies for reviewing controls and should regularly oversee risk assessment procedures. Most major cloud providers such as AWS, Azure and GCP meet HIPAA compliance guidelines, but you should be careful to check for other cloud providers and be very clear about the risks of on-premise deployments.
5. Data sovereignty
HIPAA requires that your patients’ PHI data will not leave the United States territory. This is a simple one but easy to overlook – make sure that you are using a chat system with US-based data centers!
6. Audit controls
A core requirement that HIPAA mandates is to keep an audit log of user actions in the chat service. You need to be able to track who accessed which chat, when they did, and what they did.
Your HIPAA compliant chat software should be capable of creating and recording an audit trail of all interactions containing ePHI. Any chat service that archives conversations and provides transcripts of all chats will probably meet this requirement.
7. Recipient authentication
Any messages that contain PHI should go to the intended recipient and the intended recipient only. If those communications end up in someone else’s hands that represents a HIPAA violation!
As most web chat is “inbound”, you might think this is a straightforward one. Alas. Most chat systems will have a “chat transcript” option – this should be disabled for HIPAA compliance as it could send the entire chat transcript, inclusive PHI, to the wrong recipient with an accidentally mistyped email.
Remember:
It’s worth underscoring the fact that having a HIPAA compliant live chat does not necessarily make you HIPAA compliant, it can at best only support your organization in its ongoing efforts to achieve compliance and maximize data security.
Is SMS HIPAA compliant?
Definitely not! SMS messages are not encrypted and therefore should not be used for sending or receiving PHI under any circumstances.
Is video chat compliant?
Video chat software, from a HIPAA compliance perspective, is actually very similar to live chat in terms of access, audit controls and encryption. WebRTC, a browser protocol that powers most video chat solutions, mandates encryption by default.
Assuming you have the same controls in place as mentioned for live chat, then video chat can definitely support a HIPAA compliant strategy.
Is Talkative HIPAA compliant?
Let’s use the checklist above and go through each point to see if Talkative’s live chat solution is HIPAA compliant.
1. BAA contract
Talkative will work with you to sign a Business Associate Agreement (BAA) and our legal team can accommodate any changes to our BAA that you may require.
2. Employee access controls
Talkative can implement a number of agent access to control to ensure a HIPAA compliant chat service, such as:
- Users have roles/permissions to ensure they only see the minimum required info
- Agents can only see interaction logs that they have interacted with
- IP addresses can be whitelisted for additional security
- SSO is available
- Our password policy mandates general info sec best practices
- Agents are automatically logged out after pre-defined time intervals
3. Data availability
Talkative leverages regional AWS data centers with a fully resilient server architecture. The system is imaged and backed up at regular intervals to ensure data integrity in the event of any potential downtime.
We provide you with an SLA with guaranteed uptime and can share historical uptime details with you. Single tenant deployments are also available, and admins are able to search logs and find and delete PHI where necessary.
While typically chat transcripts and interaction data is stored in the Talkative database in the cloud, you can configure a variable data retention policy, whereby data will be permanently and thoroughly purged from the Talkative system. In this instance, we typically integrate into your preferred CRM or on-premise database, where we send all the data, transcripts and PHI. The benefit of this is that no PHI resides on Talkative servers, limiting your exposure for having a third party (Talkative) storing PHI.
4. Data security & integrity controls
The Talkative solution encrypts all data in transit and at rest, and we use HIPAA-compliant data centers (in this case the USA, but other regions can be selected).
Encryption – TLS 1.2 or higher and HTTPS/WSS connections for data in transit and at rest.
We use AWS for hosting the Talkative solution. Any of the AWS infrastructure locations can be used for the Talkative solution.
- Physical Security includes locking down and logging all physical access to the data centre.
- Data centre access is limited to only authorised personnel.
- Badges and biometric scanning for controlled data centre access.
- Security camera monitoring at all data centre locations.
- Access and video surveillance log retention.
- 24×7 onsite staff provides additional protection against unauthorised entry.
- Unmarked facilities to help maintain low profile.
- Physical security annually audited by independent firms.
Operational security includes creating business processes and policies that follow security best practices, in order to limit access to confidential information and maintain tight security.
- ISO 27001/2 based policies, reviewed annually.
- Documented infrastructure change management procedures.
- Secure document and media destruction.
- Incident management function.
- Business continuity plan focused on availability of infrastructure.
- Independent reviews performed by third parties.
- Continuous monitoring and improvement of security program.
5. Data sovereignty
As mentioned, Talkative uses US-based AWS data centers.
6. Audit controls
In line with a HIPAA compliant chat, the Talkative solution had a log of agent actions in chat conversations. We can audit the log to make sure that you meet this requirement.
7. Recipient authentication
By default, Talkative lets website visitors have the possibility to send the transcript of their conversation to any email address that they input. To make your chat HIPAA compliant, you should configure this option to be disabled. This is really easy to do, and if you do encounter any problems, we are always available to lend a helping hand.
This blog post was first published by Talkative.