HIPAA compliance may not be a thrilling subject for everyone — but for our customers who need it? They really need it.
When you’re handling sensitive data like Protected Health Information (PHI), you need to ensure the tools you use adhere to the same high privacy and security standards you do.
For organizations that require HIPAA-compliant customer messaging, there’s an additional layer of complexity when it comes to evaluating tools. We know it’s not easy, so we’ve made things as simple and as clear as we can.
What is HIPAA?
HIPAA stands for the U.S. Health Insurance Portability and Accountability Act of 1996 which, among other rights and protections, requires the confidential handling of PHI, or Protected Health Information. (Electronic Protected Health Information is often abbreviated ePHI.)
This act has two main purposes: to provide individuals with greater access to their own medical records and more control over how their personally identifiable health information is used and disclosed, and to establish a national standard for the protection of sensitive patient health information.
HIPAA privacy regulations require health care providers and organizations, as well as their business associates, to follow procedures that ensure the confidentiality and security of PHI when it is transferred, received, handled, or shared.
Not all service desk solutions are created equal
There aren’t many HIPAA-compliant help desks out there, and the few that do exist often lack other features support teams need to do their work (such as robust, reliable reporting). But integrating extra apps to bridge those gaps is another can of worms, because those third-party tools also need to be HIPAA compliant.
That’s why Help Scout is often a good fit for entities who want to centralize their customer support in a HIPAA-compliant way — because in addition to advanced security and privacy standards, it’s more than a help or service desk.
Help Scout is customer service software that lets you connect with your customers via email, live chat, and in-app messaging. All incoming messages are routed into a unified shared inbox, making it easy for your team to work together to respond to patient and client needs.
Help Scout also has productivity features like saved replies to help you respond to common questions more quickly and workflows to help automate repetitive tasks. Tags and custom fields can help keep your inbox organized and can also be used for creating custom report views and workflows.
Help Scout: The HIPAA-compliant help desk software you can trust
We help our customers remain HIPAA compliant over popular channels like email, live chat, and in-app messaging in a number of ways.
Business associate agreements (BAA): Help Scout’s business associate agreements (BAAs) are posted online, and we’ll sign one upon request.
Data storage location: Help Scout is hosted on Amazon Web Services (AWS), a scalable, cloud-based computing platform with end-to-end security and built-in privacy features. AWS is HIPAA compliant, enabling covered entities subject to HIPAA to use their secure environment to process, maintain, and store protected health information. For more detailed information, see the whitepaper Architecting for HIPAA Security and Compliance on Amazon Web Services.
Uptime and data availability: We strive for a 99.99% uptime across all of our products.
User authentication: Help Scout supports two-factor authentication (2FA) access for Help Scout credentials or SSO through Google Apps. Certain plans have options for enabling authentication via any SAML-compatible identity provider.
IP restrictions: Limiting access to your Help Scout account to a predefined list of IP addresses is available with some plans.
Data security: Help Scout's internal application communications (including notes, API calls, and Beacon conversations) are encrypted over 256-bit SSL (secure sockets layer).
Content control: Through a thread options menu, you can edit, delete, or hide thread contents. This prevents that information from being sent out again or from being quoted in a future reply. This is helpful if there are multiple parties involved in one conversation.
Audits: Help Scout completes regular audits and annual risk assessments to ensure continued HIPAA compliance. This includes updating, reviewing, and testing our disaster recovery plan.
Employee training: All Help Scout employees undergo annual HIPAA training. Our team never accesses customer accounts unless we’re explicitly asked for help. In addition, customers can also request that we never access their account for any reason.
A note about HIPAA compliance in Help Scout:
Help Scout uses email protocol to send messages — that’s why emails that come through Help Scout look like regular email versus something the recipient has to sign into through a secure portal. Since it’s not a system that requires a password to open attachments, for example, there’s no guarantee that sensitive ePHI will be 100% secure and private — email can always be intercepted.
For that reason, no email help desk can ever truly declare itself HIPAA compliant, because email is inherently insecure. Organizations can, however, use Help Scout’s fully featured API to build a portal on top of ours when deemed necessary. For many smaller health tech companies or medical practices, that can be a compelling solution.
Outside of email, it should also be noted that Help Scout’s AI features, knowledge base solution (Docs), and third-party integrations are not considered to be HIPAA compliant.
HIPAA compliance FAQs
Still have questions about HIPAA compliance? Here are some answers to a few FAQs.
What are the key components of HIPAA?
The key components of HIPAA are:
Protected Health Information (PHI): This refers to any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted broadly and includes any part of a patient's medical record or payment history.
Electronic Protected Health Information (ePHI): As electronic health records became more prevalent, the need to protect digital patient information grew. Any PHI that is produced, saved, transferred, or received in an electronic form is covered by ePHI.
HIPAA Privacy Rule: This rule provides federal protections for PHI held by covered entities and gives patients various rights with respect to that information. It also permits the disclosure of PHI needed for patient care and other crucial purposes.
HIPAA Security Rule: This rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. It requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Help Scout maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act and is able to process, maintain, and store protected health information for any entities restricted by these regulations.
What is a business associate agreement (BAA)?
A business associate agreement, or BAA, is a contract signed by two business entities that outlines the responsibilities of each party in upholding HIPAA standards and keeping PHI safe and confidential.
You can read more about them on the Health and Human Services (HHS) website.
HIPAA requirements: What makes a help desk HIPAA compliant?
While not all help desks meet the law’s standards out of the box, many can be configured to be compliant with HIPAA guidelines. Here are some things to look for:
Robust data security: Electronic data must be encrypted, and any hosting services used by your help desk provider must also provide a high level of physical security.
Reliable uptime: Patients must have reliable access to their ePHI, meaning you need to ensure that any provider you choose is dependable.
Data location: Data must be stored in the U.S. to be HIPAA compliant.
Access restrictions: Communication platforms should offer ways to protect access to PHI, such as 2FA, IP restrictions, SSL certificates, etc.
Business associate agreements (BAA): The help desk you choose should be willing to sign a BAA with your company.
Keep in mind that following the guidelines above does not in and of itself make your organization or your help desk solution HIPAA compliant. Always consult with an expert when setting up new systems for your organization.
What are some examples of HIPAA violations?
To help illustrate what a HIPAA violation might look like when it comes to patient communications, here are two examples:
Sharing a login: It’s common for small businesses to manage client requests via a free or inexpensive email service such as Gmail. Some may even share login credentials amongst the team. HIPAA requires that individuals only have access to the PHI they need to do their job — in this case, helping customers. Sharing a login could lead to unauthorized access to PHI and, ultimately, a HIPAA violation.
Unattended or lost devices: While working remotely has grown more common in recent years, it can spell trouble for businesses that must adhere to HIPAA’s required security guidelines. Lost or unattended work devices can potentially lead to unauthorized access to PHI by family, friends, or bad actors.
Platforms like Help Scout can help minimize your exposure to these types of HIPAA violations through features like individual user profiles with roles and permissions, and plans that include IP restrictions.
Where can I read more about Help Scout and HIPAA compliance?
Keeping the human touch: Help Scout takes the ticket out of ticketing systems
Just because you’re accountable to rules and regulations doesn’t mean your email support has to be impersonal.
You can comply with HIPAA regulations and treat your customers and other stakeholders like the humans they are.
The unfortunate side effect of many help desks is that the customer experience suffers. Users encounter barriers instead of frictionless communication; every customer who starts a conversation has the fact that their “ticket” is being processed shoved in their face.
The best help desk software is the one your customers don't even notice. There is something about a plain text email that is friendly and familiar. We send these emails to our friends, co-workers, and family members. We don’t send them aggressively stylized, amorphous pamphlets that place design over function.
When your customers receive emails from you, the fact that it looks like any other email means that it doesn’t place a visual barrier between them and your company — you get to have a personal conversation with a human touch.
Patients deserve to have their personal information and medical records protected, but nothing about those protections precludes health care providers from treating them like humans. To that end, health care organizations and Help Scout share the same goal: helping people.
Talk to our friendly team to discover whether Help Scout might be the right HIPAA-compliant help desk for you.