By Jonathan Bryant on Sep 21, 2020 1:49:55 PM
Maintaining compliance with the Health Insurance Portability and Accountability Act of 1996 is an ongoing battle, especially when myths circulate and cause confusion. When it comes to live chat and HIPAA, several myths are out there that are easily debunked with accurate information. Keep live chat HIPAA compliant by knowing fact from fiction, and protect your clients and patients, and your reputation.
Myth: A HIPAA business associate contract isn’t necessary for a live chat provider.
Anytime a HIPAA covered entity engages the services of another person or business to assist with protected health information, that person or company becomes a “business associate” and as such must sign a business associate contract.
According to the U.S. Department of Health & Human Services, the business associate contract “serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.”
Not only is a business associate contract required by law, it’s also a sign of good faith on the part of the service provider to comply with all of the requirements of HIPAA and to accept the responsibility of maintaining that compliance throughout the life of the contract.
Equally important to note is that a business associate contract makes the service provider “directly liable” for failing to safeguard PHI, including electronic PHI, and thus subject to civil and even criminal penalties under HIPAA.
Myth: HIPAA only applies to written PHI.
HIPAA covers all PHI, whether verbal, written or electronic. The original intent of HIPAA, in 1996, was to set national standards for protecting the privacy and security of certain health information. At the time, new technologies were expanding how PHI (aka, “individually identifiable health information”) was gathered, transmitted and maintained, making legal protection more essential than ever before.
Today, hand-written charts are the exception, and electronic information is the norm. But that doesn’t mean a spoken conversation or information on paper is any less protected by HIPAA. Specifically, the HIPAA Privacy Rule states:
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
“The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.”
Myth: “The cloud” is inherently HIPAA compliant.
The cloud is only as safe as the cloud service provider makes it, so HIPAA compliance must be proven and maintained. Covered entities are responsible for gaining the level of knowledge regarding that “cloud computing environment or solution” necessary to adequately conduct a risk analysis, create appropriate risk management policies, and develop a business associate contract with the cloud service provider.
In addition, any Service Level Agreement used to cover general expectations, should also include HIPAA compliance aspects, including:
- “System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility; and
- Use, retention and disclosure limitations.”
Moreover, any SLAs entered into with a cloud service provider should also be in compliance with any business associate contracts and with the HIPAA regulation as a whole. The National Institute of Standards and Technology provides additional information about cloud computing in “NIST SP 800-146, Cloud Computing Synopsis and Recommendations.”
Myth: Live chat does not require that visitors receive privacy notices.
Just as if a client or patient were face-to-face in the office, encounters that are electronic (including live chat conversations) are covered under HIPAA. In the case of live chat, the privacy notice can be “sent electronically automatically and contemporaneously in response to the individual’s first request for service. In this situation, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice.” Learn more about privacy notices in this HHS FAQ.
Myth: HIPAA rules aren’t really enforced.
HIPPA enforcement is an ongoing activity conducted by the Office of Civil Rights, or in the case of criminal violations, the Department of Justice. In many cases the violation is simply corrected and closed, however, fines may be assessed and in some cases jail or prison sentences as well. For an in-depth look at HIPAA enforcement, our blog, “Steep Price of Failing to Ensure Your Live Chat is HIPAA Compliant,” which describes common violations as well as penalties for civil and criminal violations.
In this age of misinformation everywhere, it’s important to know the facts when it comes to HIPAA compliance and to work with a live chat provider that does the same. Find out today how Site Staff can make live chat a seamless and compliant addition to your website with a 30-Day Free Trial.