Intercom is a messaging software-as-a-service solution that is popular among businesses that chat with their clients. There is a potential use for this software in the healthcare industry when healthcare providers and patients chat with each other. Does Intercom comply with HIPAA rules when used in connection with electronic protected health information (ePHI)?
Before HIPAA covered entities and business associates can use any software product or services with ePHI, it must first satisfy the physical, technical and administrative requirement to have safeguards that protect the integrity, confidentiality and availability of ePHI. It must have audit and access controls in place and data must be secure both in transit and at rest.
The company providing the product or service must be willing to enter into a business associate agreement (BAA) with the HIPAA covered entity as well. The provider must agree to fulfill the responsibilities stipulated in the BAA and the HIPAA Rules. Otherwise, both will be in violation of the HIPAA rules. The only exception is if the provider is covered by the HIPAA Conduit Exception Rule, such as ISPs. Messaging services, like Intercom, do not fall in the same category as ISPs. Hence, Intercom must sign a BAA before its services may be used with ePHI.
It is written in Intercom’s terms and conditions that it is not classified as a business associate and it is not willing to sign a BAA with HIPAA covered entities. It specifically mentioned that the platform is not to be used for the collection, storage, processing or transmission of sensitive personal information.
To recap what is discussed above, Intercom does not consider itself to be a business associate; it is not willing to sign a BAA with HIPAA covered entities; and it lacks the necessary privacy and security controls to keep ePHI safe and secure. Hence, Intercom is not HIPAA compliant. Healthcare organizations should not use this software-as-a-service solution in connection with the storage and processing of ePHI.