Live chat options are a great addition to any website to open a direct communication line with potential and current patients. However, much like social media, you need to make sure you maintain HIPAA compliance if you work in healthcare.
The Paubox blog has countless articles on HIPAA compliance for different products and services used in the healthcare world. This article will compile our HIPAA compliance research on live chat options.
Let’s check out all the chat options we’ve investigated.
UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out this recent Paubox blog post.
HIPAA compliance review
As a reminder, to remain HIPAA compliant covered entities and business associates must enter into a business associate agreement (BAA). Business associates help covered entities comply with the HIPAA Privacy Rule and keep protected health information (PHI) safe.
While some live chat solutions are HIPAA compliant or can be configured as such, not all solutions are equal. Users should be cautious with the information transmitted on these platforms. Many chat companies collect and store personal information or chat logs, which can violate HIPAA.
To err is human, but human error can cause data breaches and HIPAA violations. If your practice chooses to use live chat on your website or internal communications, you must educate your staff on how to use it in a HIPAA compliant manner.
Let’s review some of the specific companies we have looked into for HIPAA compliance.
Live chat best practice
The responsibility of maintaining HIPAA compliance falls on you and your employees. You must know how to configure your live chat to maintain compliance.
Each HIPAA compliant option will have different configuration guidelines. However, no matter what, your practice should:
- Make sure your live chat solution uses data centers in the United States
- Understand what information is considered PHI
- Double-check that all live chat integrations (such as Facebook Messenger) are HIPAA compliant, and disable those that aren’t
- Set up chat transcription to store on your practice’s servers or turn off this feature
- Disallow individuals to send or receive attachments
- Restrict who has access to the live chat solution
If moving forward with a non-HIPAA compliant service (which is not recommended), covered entities should avoid sending or receiving PHI. That includes:
- Sending information that can be interpreted as PHI
- Alluding to a patient’s unique medical cases
- Diagnosing or describing prognoses, symptoms, or courses of treatment
HIPAA-friendly ways to use a live chat solution on your website include:
- Sharing health and wellness tips
- Advertising practice closures or hour changes
- Sending practice contact information such as a phone number or email address
- Directing patients to call or email for personalized help
Google is one of the largest Internet companies in the world and boasts a large number of products. So, it’s fair to ask which products are HIPAA compliant.
Luckily, Google will sign a BAA covering certain solutions, and Google Hangouts is one of them. However, the BAA only covers the chat messaging feature and no other features found within Google Hangouts.
LiveChat is a cloud-based customer service platform with online chat, help desk software, and web analytics. The platform can be configured as a HIPAA compliant service for the Enterprise plan. Other plans are not covered.
LiveChat details a 4-step process to maintain HIPAA compliance for Enterprise users. Covered entities can still utilize this platform at other plan levels but must not transmit any form of PHI.
Freshchat is messaging software aimed towards sales and marketing engagement with customers. This solution integrates with other offerings in the company’s solution suite, including Freshsales and Freshdesk.
Freshchat offers HIPAA compliant services for its Forest plan. Customers who chose the Sprout, Blossom, Estate, or Garden plan will not have BAA coverage but can still use this service if they avoid sensitive information and PHI.
Various healthcare industry companies use SmartBot360, and the company boasts that it is HIPAA compliant. However, SmartBot360 makes no mention of signing or executing a BAA on its website. Therefore it is inconclusive if SmartBot360 is HIPAA compliant.
Olark is a cloud-based live chat solution enabling businesses to interact with their customers directly. The company states on its website that “your coverage under our Terms of Service provides protection comparable with a reasonable BAA” but will not sign a BAA agreement.
Because Olark will not sign a BAA, its service is not HIPAA compliant. Additionally, in Olark’s Terms of Service, the company states that it is not liable for stolen sensitive information, such as PHI.
ChatBot positions itself as an “all-in-one platform” to build and launch chatbots without needing to know how to code. The solution also integrates with services like Facebook Messenger.
The company makes no mention of BAAs on its website nor anything about PHI. Therefore, ChatBot is not HIPAA compliant. Covered entities who chose to use ChatBot must be sure not to send, use, or store any PHI on the platform.
Google Hangouts, Freshchat, and LiveChat offer HIPAA compliant live chat services with stipulations. SmartBot360, Olark, and ChatBot make no mention of signing a BAA on their websites and therefore are not HIPAA compliant.
Healthcare providers can use any of these platforms in a HIPAA compliant manner by avoiding any information that could be considered PHI and directing patients offline if they need personalized help.
However, by choosing a service that will sign a BAA, healthcare providers can have peace of mind with HIPAA compliance. These options offer greater flexibility with personalized conversations and PHI security.
Remember, even a name can be considered PHI, so covered entities need to be extra careful when using non-HIPAA compliant solutions.
Other HIPAA compliant direct communication methods
HIPAA compliant live chat solutions are a great addition to your practice to help send or receive information. However, covered entities should steer clear of sharing PHI on non-HIPAA compliant options.
A HIPAA compliant email solution, like Paubox Email Suite, is the best way to communicate with your patients directly. Our solution requires no change to your email behavior once installed. Simply open your email provider (such as Google Workspace or Microsoft 365) and email your patient. There is no need for additional steps or portals for your patients to log into.
Paubox Email Suite ensures that 100% of the emails you send are secure. As soon as the product is configured, all outbound emails will be encrypted.