Back to Blog
A notebook with the word compliance written in red pen ink

What Makes Live Chat HIPAA Compliant … or Not?

Learn why today’s leading live chat platforms might be missing those two magic words – and the questions to ask as a result.

Handling patients’ health information is necessary for many organizations’ operations, from long-term care facilities and doctor’s offices to health insurance providers and managed medical service providers. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted as federal law to ensure providers and related operations had enough access to the information, they need to do their jobs while also protecting the privacy of encrypted data related to patient health.

How to Ensure Live Chat Protects Sensitive Information

If you are a “covered entity” under HIPAA, you must comply with the limits and conditions on the uses and disclosures of protected health information (PHI) and ensure the security of the PHI handled through your live chat platform. PHI includes any information about health status, provision of health care, or payment for health care that is created or collected by your company or business associate and can be linked to a specific individual.

In most cases, as a covered entity, when you engage with a business associate to carry out your health care functions, a business associate contract or other arrangement must be made to ensure that the associate complies with HIPAA requirements and is fully audited to protect the privacy and security of PHI.

When Live Chat is Not HIPAA Compliant

Couriers & Conduits

Think of the US Postal Service and private couriers, who may transmit documents containing PHI with a very small probability of exposure. USPS is an example of a “conduit,” or an entity that transports information but does not access it other than on a random or infrequent basis as necessary to perform their function or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any protected health information to a conduit is very small, the conduit is not considered a business associate under HIPAA.

A live chat provider may also be considered a “conduit” if there are no plans for PHI to be stored on the live chat provider’s server. Many live chat providers, therefore, facilitate the storage of chat-related information on a secure server of the client’s choice. In this “server-of-choice” arrangement, live chat software providers simply act as “conduits” of the data that is being transmitted over their platforms.


For companies working in health care industries or with medical information, minimizing risk by avoiding the storage of protected health data on external servers is often the preferred way of doing business.

Server-of-choice has become an increasingly popular model in recent years and plenty of live chat providers have written about why they’re not specifically “HIPAA compliant,” pointing to the conduit treatment of PHI as enough protection. However, given an upward trend in data breaches in the healthcare sector, many healthcare organizations are more cautious about live chat security as it relates to the exchange of sensitive information about patients and PHI data.

It is important to bear in mind that even though your live chat provider may not be storing protected health information, they’re still handling it. As such, the platform should have safeguards that prevent unauthorized parties from intercepting PHI and that ensure chat-related information and transcripts are archived in a proper manner.

Protecting Your HIPAA Compliance

Reputable live chat platforms pave the way for your organization’s HIPAA compliance through a comprehensive set of features that are both secure and user-friendly. Regardless of whether the platform claims to be HIPAA compliant or not, these are the questions you should be asking to protect the HIPAA-compliant status of your organization.

Where will my data be stored?

Exceptional live chat platforms present the server-of-choice capability as a user-friendly interface, where administrators simply click to select their preferred cloud storage provider (e.g., Amazon Web Services, Microsoft Azure) from within the application. This allows you to maintain control over where your data resides while eliminating time-consuming back-end configuration and reducing lead time in the implementation process.

What is the user authentication process?

Your login screen is, in many ways, the gatekeeper of your live chat platform. The processes that power this interface are critical to keeping protected health information out of the wrong hands. Inquire about your live chat provider’s password management options, including character requirements and password expiration. Two-factor authentication is also an option to look for. Often employed by systems where sensitive information is being managed, this feature requires the user to pass two checkpoints to gain access. IP-based login restrictions are also available through some live chat systems to provide an added layer of access control and data security.

How will transmitted data be secured?

When you’re handling sensitive customer information and potentially protected health information, keeping your data secure must be your top priority. Look for live chat platforms that offer advanced encryption standard and symmetric encryption, encrypting all chats and transactions recorded within the system using 256-bit SSL (secure socket layer) standards. Ask about firewalls, intrusion detection systems, application content filters, anti-virus software and other mechanisms that prevent unauthorized access and defend against the injection of malicious and potentially harmful content.

How can I minimize access to sensitive information?

Data masking, a feature offered by industry-leading live chat platforms, prevents sensitive information, like a credit card number, from being viewed by replacing the appropriate text with X’s. Typically, this is offered as an option both within a live chat interaction and within the chat archive, allowing you to minimize exposure of private information both during and after the chat session. Additional options, such as disabling copy and paste within the live chat platform, can also help reduce the risk of sensitive information being distributed.

Secure and Flexible Live Chat

Live chat has become a mainstream asset for savvy businesses across industries – and health care is no exception. However, if you handle health information and are a covered entity under HIPAA, compliance should prompt some additional considerations as you vet live chat platforms. Do your research and ask the right questions. By choosing an experienced and flexible live chat partner, you’ll ensure the security of your interactions without sacrificing the features that make live chat such a valuable tool for both your customers and your organization.

Share on social media: 

More from the Blog

Join readers like you, who are ready to make big
customer engagement experiences

Thank you for registering!

We'll keep you up to date. We're glad that you joined us.

Oops! Something went wrong while submitting the form.
Please try again, if the problem persists contact
We won't share your email address with third parties.