Is Intercom HIPAA Compliant?
Intercom is HIPAA compliant and can be used to collect, store, and process electronic Protected Health Information (ePHI) provided organizations subscribe to an “Expert” business plan and agree to the terms of Intercom’s Business Associate Agreement. Thereafter, it is important the software is configured to support HIPAA compliance and that users are trained to operate Intercom in compliance with HIPAA.
Intercom is a customer service and engagement solution that enables organizations to provide top-quality support for customers via multiple communication channels. Depending on which business plan an organization subscribes to, the platform can provide proactive support with in-context messaging, an AI-powered workspace, and automated workflows. At the highest “Expert” level, Intercom includes advanced collaboration, security, and reporting tools for large support teams.
For organizations in the healthcare sector, customer service and engagement solutions such as Intercom can significantly reduce the volume of resources required to run an efficient support center while providing insights into customer requirements and expectations. However, in order to obtain the maximum benefit, it is be necessary to accommodate disclosures of ePHI. In order to accommodate disclosures of this nature, it is necessary for Intercom to be HIPAA compliant.
Is Intercom HIPAA Compliant?
Intercom is HIPAA compliant, but only when organizations subscribe to an “Expert” business plan and agree to the terms of Intercom’s Business Associate Agreement. This is because the business plans below the “Expert” level (“Essential” and “Advanced”) lack the controls and functionalities to comply with the Administrative and Technical Safeguards of the Security Rule. For example, features such as customizable roles, identity management, and SSO are only available in the “Expert” business plan.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
With regards to the Business Associate Agreement, Intercom’s Terms of Service (Clause §3.5(b)) prohibit the collection, storage, processing, or transmission of ePHI without a Business Associate Agreement being in place. Copies of Intercom’s Business Associate Agreement and HIPAA Security Rule Attestation Report can be requested for review during the fourteen day trial period – but the Agreement must be signed before the platform is used to collect, store, process, or transmit ePHI.
Software Configuration and User Training
Because different organizations use Intercom in different ways, there is no one-size-fits-all guide to making Intercom HIPAA compliant. However, Intercom has a massive online library of Help and How To articles supported by an Academy, on-demand webinars and demos, and the Intercom Community pages where customers can ask questions and connect with product experts. The information required to make Intercom HIPAA compliant takes a little navigation, but it is all there.
With regards to user training, the nature of Security Rule HIPAA training will vary depending on what features of the platform are being utilized and how they are configured. In all cases in which members of the workforce will interact with members of the public via Intercom, it will be necessary to provide Privacy Rule HIPAA training on topics such as verifying the identity of an online contact, permissible disclosures of Protected Health Information, and the minimum necessary standard.
Other Considerations When Using Intercom
Depending on how the platform will be used, the most important consideration when using Intercom is the channels that will be used to communicate with patients. Intercom supports communications via channels such as SMS, email, WhatsApp, etc., – none of which are HIPAA compliant by default. Organizations may have to subscribe to a HIPAA-compliant communication service (i.e., an encrypted email service) or obtain patients’ consent to continue communicating via an unsecure channel.
It is also the case organizations will have to enter into Business Associate Agreements with any third party integrations to which, or through which, ePHI is transmitted – for example, Salesforce, Marketo, and Zendesk. Organizations that require assistance with managing configurations, workforce training, and Business Associate Agreements with third party integrations are advised to reach out to Intercom’s sales team or speak with a HIPAA compliance expert.
