Is Intercom HIPAA Compliant?

Share this article on:

Intercom’s messaging software-as-a-service solutions are popular with businesses for chatting with potential customers. The solutions have potential for use in the healthcare industry for chatting with patients, but is Intercom HIPAA compliant? Can the company’s solutions be used in connection with electronic protected health information or would that constitute a violation of HIPAA Rules?

Is Intercom Prepared to Sign a Business Associate Agreement?

HIPAA covered entities and their businesses are only permitted to use software products and services in connection with electronic protected health information if there are safeguards in place to protect the confidentiality, integrity, and availability of ePHI. Any software platform must incorporate audit and access controls and data must be appropriately secured in transit and at rest.

Before software-as-a-service can be used to send or store ePHI, a HIPAA covered entity must enter into a business associate agreement with the service provider in which the company’s responsibilities under HIPAA are explained.

There are exceptions for certain service providers such as ISPs. ISPs are exempt under the HIPAA Conduit Exception Rule. Messaging services such as those provided by Intercom are not exempt and business associate agreements would need to be obtained before the service can be used.

In Intercom’s terms and conditions it is made clear that Intercom does not consider itself a business associate and will not sign a business associate agreement with HIPAA covered entities. The company also explains that the platform should not be used for collecting, storing, processing, or transmitting sensitive personal information.

Is Intercom HIPAA Compliant?

At present, Intercom does not class itself as a business associate and will not sign a business associate agreement with HIPAA covered entities and the platform does not have the necessary privacy and security controls to be used in connection with electronic protected health information.

Consequently, Intercom is not HIPAA compliant and should not be used by healthcare organizations for sending or storing any ePHI.

Author: HIPAA Journal

Share This Post On