March 17, 2018
Intercom’s messaging software-as-a-service solutions are trendy with companies for conversing with possible clients. The solutions have the possibility for use in the healthcare industry for talking with patients, but is Intercom HIPAA compliant? Can the business’s solutions be used in relation with electronic protected health information or would that be a violation of HIPAA Rules?
Is Intercom Ready to Sign a Business Associate Agreement?
HIPAA protected units and their companies are only allowed to use software products and facilities in relation with electronic protected health information if there are protections in place to protect the secrecy, integrity, and availability of ePHI. Any software platform should include audit and access controls and data should be properly safeguarded in transportation and at rest.
Prior to software-as-a-service can be used to transmit or store ePHI, a HIPAA protected unit should enter into a business associate agreement with the service supplier in which the business’s responsibilities under HIPAA are explained.
There are exclusions for certain service suppliers like ISPs. ISPs are exempted under the HIPAA Conduit Exception Rule. Messaging facilities such as those provided by Intercom are not exempted and business associate agreements would need to be obtained before the facility can be used.
In Intercom’s terms and conditions, it is made clear that Intercom doesn’t consider itself a business associate and will not sign a business associate agreement with HIPAA protected units. The firm also clarifies that the platform must not be used for gathering, storing, processing, or transmitting confidential private information.
Is Intercom HIPAA Compliant?
Presently, Intercom doesn’t categorize itself as a business associate and will not sign a business associate agreement with HIPAA protected units and the platform doesn’t have the necessary secrecy and safety controls to be used in relation with electronic protected health information.
As a result, Intercom isn’t HIPAA compliant and must not be used by healthcare companies for sending or storing any ePHI.