Home > Knowing your HIPAA compliant account
(Last Updated On: September 11, 2019)
SnapEngage supports its clients’ compliance with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Customers who are subject to HIPAA and wish to use SnapEngage with Protected Health Information (PHI), can set up a HIPAA compliant SnapEngage account. Common business types that may need HIPAA compliance include:
- Health care providers (hospitals, clinics, independent health care providers) who process transactions electronically.
- Health insurance companies.
- Business associates (third parties or any other professional) with access to patient information data.
This feature is available on all SnapEngage plans. It requires that our client signs a Business Associate Agreement (BAA) with SnapEngage. HIPAA compliance is not available during the free trial. If you wish to review a copy of our BAA template please send us an email to firstname.lastname@example.org or start a chat with us here.
We have taken many steps to ensure that our policies and procedures for data handling are in compliance with the statutes that HIPAA has put around PHI. A HIPAA account has, by default, some of the “Extra security” options (under the Options tab) enabled. Those options cannot be disabled for a HIPAA account and that is what the “Disabled for HIPAA compliance” message indicates.
1. Enforce encryption (SSL) to view support request
With this option selected, one can open and view cases in the Logs tab only by using https rather than http. That means that any data you exchange with your clients / web-visitors through chat, gets encrypted and in the unlikely occasion that someone else, apart from you, would try to view the transcript they would only see strings of random-looking characters.
2. Require sign in to view support request
With this option selected, one can only access the transcripts under your “Logs” after they log in as an administrator.
3. Access Rules (Available on Enterprise plans)
To help ensure that your account is as secure as possible, we have released some new restrictive access settings, which can be set by the main account owner under My Account -> Security -> Access Rules:
For your HIPAA compliant account, you need to make use of 3 of the above settings in order to ensure you are compliant:
- Automatically sign out the agent or admin when they are inactive – This will ensure that if a device is left open, access will not be granted. Once you enable this option, you will be able to select a time range of inactivity. This will vary for each company, so it is best to check with your HIPAA expert to know which option to select. After enabling this option, the feature will take effect only after the agents and admin sign out and in again once.
- Automatically sign out the agent or admin when their device IP address changes – This will ensure that if an agent is switching network (for example when taking a laptop logged in SnapEngage from a work network to a home network), or if the current network IP address changes, they will be required to log in again.
- Users can have only one active session per device – This means that if a visitor signs in via another device (be it another browser within the same device, or a different device entirely), they will be signed out of any other active sessions.
Last, integration logs are not stored for all cases on HIPAA-enabled accounts. This is not a customizable feature.
There are some features that you would be allowed to use and that are not HIPAA compliant. To make sure that your account abides by HIPPA standards, please make sure those features are not being used:
1.Secure Data Transfer allows your agents to safely collect confidential information from your visitors right in the chat window. For HIPAA compliant accounts however, only the two credit card related options can be used since with those two, no PHI information can be shared. The “Social Security Number” and the “Secure Note” options cannot be enabled. The feature is to be found right below the “File Exchange” section.
2. Communication Channels and SMS Live Chat which allows your visitors to reach you via different channels such as sending a text message from any mobile device, Facebook Messenger or WeChat. You can read more about HIPAA regulations for SMS here where you will also read that most SMS are not HIPAA compliant “because they are not encrypted, cannot be recalled if sent to the wrong recipient, and can be intercepted on public Wi-Fi networks”. The same reasons may apply to WeChat and Facebook Messenger.
3.Team Chat enables agents to start 1-1 (or team) chats with each other. Although team chat will only include communication among your colleagues and not your clients, you want to make sure that your chat agents do not share any PHI information in it. That is why you should ask your agents not to use Team Chat.
4. File Exchange is only HIPAA compliant if the file is sent by the visitor. The agents will be trained in HIPAA compliance, so they will be able to handle customer’s information. You can enable file transfer for agents only, by going to Settings -> Options, and opting for the following:
Published October 11, 2016