Intercom can be HIPAA compliant for electronic Protected Health Information when an organization subscribes to the Expert business plan, signs Intercom’s Business Associate Agreement before any use with electronic Protected Health Information, configures the platform to support HIPAA compliance, and trains workforce members on compliant use.
Intercom is a customer service and engagement platform that supports support workflows and communications across multiple channels. In healthcare operations, support interactions can include electronic Protected Health Information provided by patients or plan members. Intercom’s Terms of Service prohibit the collection, storage, processing, or transmission of electronic Protected Health Information unless a Business Associate Agreement is in place.
Intercom’s HIPAA-compliant use is limited to the Expert business plan. The Essential and Advanced plans are described as lacking controls and functionality needed to support the HIPAA Security Rule Administrative Safeguards and HIPAA Security Rule Technical Safeguards. The Expert plan includes features such as customizable roles, identity management, and single sign-on that support access governance and authentication.
The Business Associate Agreement must be executed before electronic Protected Health Information is entered into Intercom. Intercom indicates that copies of its Business Associate Agreement and its HIPAA Security Rule Attestation Report can be requested during the fourteen day trial period for review, but the agreement still must be signed before the platform is used to collect, store, process, or transmit electronic Protected Health Information.
Configuration and training remain customer responsibilities. Settings should align with the organization’s risk analysis and intended workflows. Training for users who communicate with members of the public through Intercom should address identity verification, permissible disclosures under the HIPAA Privacy Rule, and the HIPAA Minimum Necessary Rule.
Channel selection and integrations require additional controls. Intercom supports SMS, email, and WhatsApp, and these channels are not HIPAA compliant by default. Organizations may need a compliant communication service for the channel or patient consent to continue communicating through an unsecured channel. Integrations that transmit electronic Protected Health Information require separate Business Associate Agreements with the integration providers.