HIPAA compliance may not be a thrilling subject for everyone — but for our customers who need it? They really need it.
When you’re handling sensitive data like Protected Health Information (PHI), you need to ensure the tools you use adhere to the same high privacy and security standards you do.
For organizations that require HIPAA-compliant customer messaging, there’s an additional layer of complexity when it comes to evaluating tools. We know it’s not easy, so we try to make things as simple and clear as we can.
What is HIPAA?
HIPAA stands for the U.S. Health Insurance Portability and Accountability Act of 1996, which, among other rights and protections, requires the confidential handling of PHI, or Protected Health Information. (Electronic Protected Health Information is often abbreviated ePHI.)
The HIPAA privacy regulations require health care providers and organizations, as well as their business associates, to follow procedures that ensure the confidentiality and security of PHI when it is transferred, received, handled, or shared.
Help Scout maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act and is able to process, maintain, and store protected health information for any entities restricted by these regulations.
A HIPAA-compliant help desk
Help Scout uses email protocol to send messages — that’s why emails that come through Help Scout look like a regular email, versus something the recipient has to sign in through a secure portal. Since it’s not one of those systems that requires a password, for example, to open attachments, there’s no guarantee that sensitive ePHI will be 100% secure and private — email can always be intercepted. For that reason, no email help desk can ever truly declare itself HIPAA-compliant, because email is inherently insecure. Organizations can, however, use Help Scout’s fully featured API to build a portal on top of ours, when deemed necessary. For many smaller health tech companies or medical practices, that can be a compelling solution.
Help Scout’s HIPAA compliance consists of expunging PHI from email notifications. We take every possible measure to comply with HIPAA regulations, which means we:
Conduct annual risk assessments that include
Running through how Help Scout aligns with all the current compliance regulations to which we adhere, and reviewing anything upcoming or changes to these regulations
Performing a PCI DSS requirements review
Updating, reviewing and testing our Disaster Recovery plan.
Take exceptional care to secure and encrypt data — we enforce the same level of encryption that banks and other financial institutions do. Help Scout is hosted on Amazon Web Services (AWS), a scalable cloud-based computing platform with end-to-end security and privacy features built in. (AWS is HIPAA-compliant, enabling covered entities subject to HIPAA to use their secure environment to process, maintain, and store protected health information. For more detailed information, see the whitepaper Architecting for HIPAA Security and Compliance on Amazon Web Services.)
Are happy to answer any security questionnaires our customers’ organizations require.
Provide our business associate agreement (BAA) and sign it upon request. After it’s signed, we turn on a set of features on your Help Scout account that removes identifying information from any notifications.
Require every Help Scout employee who supports our customers (and because we practice whole-company support, that’s all of us!) to complete HIPAA training each year. Of course, we never access customer accounts unless we’re explicitly asked for help. (Customers can also request that we never access their account for any reason, period.)
We currently use Accountable for our annual employee HIPAA training.
Not all customer messaging software is created equal
There aren’t many HIPAA-compliant help desks out there, and the few that do exist often lack other features support teams need to do their work (such as robust, reliable reporting). But integrating extra apps to bridge those gaps is another can of worms, because those third-party tools also need to be HIPAA-compliant.
That’s why Help Scout is often a good fit for entities who want to centralize their customer support in a HIPAA-complaint way — because in addition to high security and privacy standards, it’s more than a help desk. It’s customer service software that also includes Beacon, the embeddable widget that allows you to connect your customers to your knowledge base, your shared inbox, live chat, and in-app messaging (which is less email-reliant and therefore even safer to use).
Keeping the human touch
Just because you’re accountable to rules and regulations doesn’t mean your email support has to be impersonal.
You can comply with HIPAA regulations and treat your customers and other stakeholders like the humans they are.
The unfortunate side effect of many help desks is that the customer experience suffers. Users encounter barriers instead of frictionless communication; every customer who starts a conversation has the fact that their “ticket” is being processed shoved in their face.
The best help desk software is the one your customers don't even notice. There is something about a plain text email that is friendly and familiar. We send these emails to our friends, co-workers, and family members. We don’t send them aggressively stylized, amorphous pamphlets that place design over function.
When your customers receive emails from you, the fact that it looks like any other email means that it doesn’t place a visual barrier between them and your company — you get to have a personal conversation with a human touch.
Patients deserve to have their personal information protected, but nothing about those protections precludes health care providers from treating them like humans. To that end, health care organizations and Help Scout share the same goal: helping people.
Talk to our friendly team about how Help Scout just might be the HIPAA-compliant help desk of your dreams.