Adding live chat options to a website is an excellent way to establish direct communication with potential and existing patients. However, it is crucial to ensure HIPAA compliance in the healthcare industry, just like with social media. You can find a comprehensive guide on Social Media & HIPAA Compliance on the Paubox blog, which contains numerous articles related to HIPAA compliance for various healthcare products and services. This article focuses on compiling our research on HIPAA compliance regarding live chat options. Let’s explore the chat options we have investigated thus far. UPDATE: In April 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, allowing healthcare providers to utilize commonly available communication apps, including [name of the app], for telehealth services without any risk of HIPAA fines. For more details, refer to the recent Paubox blog post.
What is HIPAA?
In recent years, there has been a growing focus on HIPAA (Health Insurance Portability and Accountability Act), a United States legislation that aims to ensure the privacy and security of medical information. The law has gained increased attention due to numerous cyber attacks and ransomware incidents that have led to breaches of health insurers and providers’ data.
President Bill Clinton signed the federal law on Aug. 21, 1996, which supersedes state laws pertaining to the security of medical information, unless the state law is deemed to be more rigorous than HIPAA.
What is the purpose of HIPAA?
HIPAA, or Public Law 104-191, serves two primary objectives: ensuring seamless health insurance coverage for employees experiencing job changes or losses, and overall cost reduction in healthcare through the standardization of electronic transmission of administrative and financial transactions. Additional goals involve the fight against abuse, fraud, and wastage in health insurance and healthcare provision, as well as enhancing accessibility to long-term care services and health insurance.
What are the 5 main components of HIPAA?
There are five sections, or titles, in HIPAA.
- Title I: HIPAA Health Insurance Reform. Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions and from setting lifetime coverage limits.
- Title II: HIPAA Administrative Simplification. Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
- Title III: HIPAA Tax-Related Health Provisions. Title III includes tax-related provisions and guidelines for medical care.
- Title IV: Application and Enforcement of Group Health Plan Requirements. Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.
- Title V: Revenue Offsets. Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.
When people talk about HIPAA compliance in healthcare, they are usually referring to the adherence of HIPAA Title II. Also referred to as the Administrative Simplification provisions, Title II encompasses the following requirements for HIPAA compliance:
- National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit National Provider Identifier number, or NPI.
- Transactions and Code Sets Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
- HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
- HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information (ePHI) sets standards for patient data security.
- HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.
Healthcare organizations may face expensive consequences due to HIPAA violations, as the HHS Office for Civil Rights (OCR), responsible for enforcing HIPAA, conducts audits and has the authority to impose penalties for noncompliance.
HIPAA Privacy Rule
The HIPAA Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, sets the initial nationwide guidelines in the United States for safeguarding patients’ personal or protected health information (PHI).
The rule issued by HHS aims to safeguard patient privacy by placing restrictions on the usage and sharing of sensitive PHI. Doctors are obligated to furnish patients with a record of every entity to which they disclose PHI for billing and administrative intentions, ensuring the smooth transmission of pertinent health information.
Healthcare providers covered by HIPAA are also obligated by the Privacy Rule to ensure that patients have the right to obtain their own PHI upon request.
Organizations classified as HIPAA-covered entities must adhere to the HIPAA Privacy Rule, which mandates that covered entities establish a contractual agreement with their HIPAA business associates. This agreement enforces specific measures to protect the confidentiality of the protected health information (PHI) handled or disclosed by the business associate.
What are HIPAA-covered entities?
HIPAA solely pertains to covered entities and their business associates.
Organizations or corporations that directly deal with PHI or PHRs are considered HIPAA-covered entities. These entities are obligated to adhere to the protection regulations set by HIPAA and the HITECH Act, which focuses on the security of PHI and PHRs.
There are three categories in which covered entities can be classified.
- Healthcare provider. Healthcare providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
- Health plan. Health plans include health insurance companies, health maintenance organizations (HMOs), company health plans and government healthcare programs, such as Medicare, Medicaid and military healthcare programs.
- Healthcare clearinghouse. Healthcare clearinghouses are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services and community healthcare systems for managing health data.
The HHS online tool can be utilized by entities to ascertain their status as a HIPAA-covered entity or BA, which in turn determines their obligation to comply with HIPAA.
What information is protected under HIPAA?
All individually identifiable health information that is held or transmitted by a covered entity or a BA is safeguarded by the HIPAA Privacy Rule, regardless of its format, whether it be digital, paper, or oral.
The following is included in PHI, but is not restricted to it:
- a patient’s name, address, birth date, Social Security number, biometric identifiers or other personally identifiable information (PII);
- an individual’s past, present or future physical or mental health condition;
- any care provided to an individual; and
- information concerning the past, present or future payment for the care provided to the individual that identifies the patient or information for which there is a reasonable basis to believe could be used to identify the patient.
The following is not included in PHI.
- employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA); and
- deidentified data, meaning data that does not identify or provide information that could identify an individual — there are no restrictions to its use or disclosure.
Examples of specific PHI consist of documents like medical records, hospital bills, or laboratory reports that contain personal information that can identify individuals, such as the patient’s name, along with health-related data.
Blood pressure or heart rate data collected by a consumer health device, such as a smartwatch, is an instance of information that is not considered PHI since it is not disclosed to a covered entity.
Administrative requirements
Covered entities must have certain administrative requirements in place as outlined by the Privacy Rule.
The following requirements are included:
- A privacy official, such as a chief privacy officer (CPO), must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.
- Employees, including volunteers and trainees, must be trained on policies and procedures.
- Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.
- A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.
- If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate — to the furthest extent actionable — any harmful effects.
HIPAA-permitted uses and disclosures
The use or disclosure of an individual’s PHI by a covered entity is defined by the HIPAA Privacy Rule, with two conditions in which it is permitted.
- if the Privacy Rule specifically permits or requires it — if the covered entity is using the data themselves, or transmitting it to another covered entity, the Privacy Rule permits it; and
- if the subject of the information gives written authorization.
The intention of these conditions is to streamline the compatibility of the health IT system by ensuring timely access to electronic health information for authorized individuals. During exceptional situations, such as a national crisis like a pandemic, certain aspects of the Privacy Rule may be altered to allow the disclosure of PHI, which would typically be considered a breach under normal circumstances.
HIPAA Privacy Rule penalties
OCR could impose fines due to healthcare data breaches and failure to provide patients with access to their PHI, as mandated by the HIPAA Privacy Rule.
The penalties for privacy rule violations differ based on the seriousness of the offense and are classified into four distinct categories.
- Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
- Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
- Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
- Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
If covered entities and individuals intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule, they can face fines of up to $50,000 and imprisonment for one year. Violation of the HIPAA Privacy Rule under false pretenses could result in an increase in penalties to a fine of $100,000 and imprisonment for up to 10 years.
HIPAA compliance training programs can help organizations reduce their risk of regulatory action. Educational programs provided by OCR offer guidance on how to comply with privacy and security rules. Additionally, consultancies and training groups offer similar programs. Alternatively, healthcare providers can develop their own training programs that cover their current HIPAA privacy and security policies, the HITECH Act, mobile device management processes, and other relevant guidelines.
Although an official HIPAA compliance certification program does not exist, certification credentials can be obtained from training companies as an indication of comprehension regarding the guidelines and regulations outlined by the act.
HIPAA compliance review
To reiterate, in order to comply with HIPAA regulations, covered entities and business associates are required to have a business associate agreement (BAA). Business associates assist covered entities in adhering to the HIPAA Privacy Rule and maintaining the security of protected health information (PHI). Although certain live chat solutions are HIPAA compliant or can be customized to meet these standards, not all solutions are equal. It is important for users to exercise caution when transmitting information on these platforms. Many chat companies collect and retain personal information or chat logs, which may lead to violations of HIPAA. While making mistakes is human, errors in handling data can lead to breaches and violations of HIPAA regulations. If your practice decides to implement live chat on your website or internal communications, it is crucial to educate your staff on how to use it in a manner that is compliant with HIPAA regulations. Now, let us examine some specific companies that we have researched in terms of their compliance with HIPAA.
Live chat best practice
You and your employees are responsible for maintaining HIPAA compliance. It is crucial to understand how to configure your live chat to ensure compliance. Each option that adheres to HIPAA will come with specific configuration guidelines. Regardless of the choice, it is essential for your practice to:
- Make sure your live chat solution uses data centers in the United States
- Understand what information is considered PHI
- Double-check that all live chat integrations (such as Facebook Messenger ) are HIPAA compliant, and disable those that aren’t
- Set up chat transcription to store on your practice’s servers or turn off this feature
- Disallow individuals to send or receive attachments
- Restrict who has access to the live chat solution
Sending or receiving PHI should be avoided by covered entities if they choose to proceed with a non-HIPAA compliant service, although it is not recommended.
- Sending information that can be interpreted as PHI
- Alluding to a patient’s unique medical cases
- Diagnosing or describing prognoses, symptoms, or courses of treatment
There are several ways to utilize a live chat solution on your website while following HIPAA regulations.
- Sharing health and wellness tips
- Advertising practice closures or hour changes
- Sending practice contact information such as a phone number or email address
- Directing patients to call or email for personalized help
Google Hangouts
With a large number of products, Google stands as one of the biggest Internet companies globally. Therefore, it is reasonable to inquire about the HIPAA compliant products that Google offers. Referencing the comprehensive guide on Google & HIPAA Compliance, it is fortunate that Google is willing to sign a BAA for specific solutions, including Google Hangouts. Nevertheless, it is important to note that this BAA solely applies to the chat messaging feature and excludes any other features available in Google Hangouts.
LiveChat
LiveChat offers a cloud-based customer service platform that includes online chat, help desk software, and web analytics. The Enterprise plan allows configuration of the platform to meet HIPAA compliance requirements, while other plans do not offer this coverage. LiveChat presents a 4-step approach for maintaining HIPAA compliance specifically designed for Enterprise users. Covered entities can still use this platform with lower plan levels but are prohibited from transmitting any form of PHI.
Freshchat
Freshchat is messaging software designed for engaging with customers in sales and marketing. It can be integrated with other solutions in the company’s suite, such as Freshsales and Freshdesk. Freshchat provides HIPAA compliant services for its Forest plan. Customers who opt for the Sprout, Blossom, Estate, or Garden plan will not have BAA coverage but are still able to utilize this service as long as they refrain from using sensitive information and PHI.
SmartBot360
SmartBot360 is a chatbot service that provides healthcare-ready templates and customizable workflows. It seamlessly integrates with well-known platforms like HubSpot and Facebook Messenger. Numerous healthcare companies use SmartBot360, and the company claims to be HIPAA compliant. Nevertheless, the absence of any mention about signing or executing a BAA on its website makes it uncertain whether SmartBot360 is truly HIPAA compliant.
Olark
Olark offers a cloud-based live chat solution that allows businesses to directly engage with their customers. On its website, the company claims that its Terms of Service offer a level of protection similar to a reasonable BAA, but it refuses to sign a BAA agreement. Consequently, Olark’s service does not meet HIPAA compliance requirements. Moreover, according to the company’s Terms of Service, Olark cannot be held responsible for any stolen sensitive information, including PHI.
ChatBot
ChatBot presents itself as a comprehensive platform that enables users to create and deploy chatbots without any coding knowledge. It also seamlessly integrates with platforms such as Facebook Messenger. However, there is no information or reference to Business Associate Agreements (BAAs) or Protected Health Information (PHI) on the company’s website, indicating that ChatBot is not compliant with HIPAA regulations. Covered entities opting for ChatBot must ensure they refrain from transmitting, utilizing, or storing any PHI on the platform.
Conclusion
HIPAA compliant live chat services are available through Google Hangouts, Freshchat, and LiveChat, with certain conditions. However, SmartBot360, Olark, and ChatBot do not mention signing a BAA on their websites and are therefore not compliant with HIPAA. Healthcare providers can use any of these platforms in a manner that complies with HIPAA by avoiding any information that could be considered PHI and guiding patients offline for individualized assistance. Nevertheless, healthcare providers can have peace of mind regarding HIPAA compliance by selecting a service that agrees to sign a BAA. These alternatives offer more flexibility in terms of personalized conversations and PHI security. It’s important to note that even a name can be categorized as PHI, so covered entities must exercise caution when employing non-HIPAA compliant solutions.
Other HIPAA compliant direct communication methods
HIPAA compliant live chat solutions are a great addition to your practice to help send or receive information. However, covered entities should steer clear of sharing PHI on non-HIPAA compliant options. A HIPAA compliant email solution is the best way to communicate with your patients directly. Our solution requires no change to your email behavior once installed. Simply open your email provider (such as Google Workspace or Microsoft 365 ) and email your patient. There is no need for additional steps or portals for your patients to log into.
