Text, Inc. is dedicated to supporting your compliance with HIPAA regulations by offering exclusive features that let you configure your LiveChat app and widget for HIPAA and PCI purposes.
We have prepared this guide to assist you in customizing your LiveChat app and Chat Widget to meet HIPAA and PCI standards.
Here are the key steps in getting your LiveChat Agent app and Chat Widget ready for HIPAA and PCI regulations:
- US data center hosting: Ensure your LiveChat is hosted in our US data center to comply with HIPAA’s territorial data requirements. If you’re not sure where your account is hosted, please reach out to our support team to get a confirmation.
- Chat window configuration: Disable chat transcripts sharing in the Customization section to enhance privacy.
- LiveChat app settings for agents: Enhance privacy by adjusting settings to anonymize or delete chat transcripts, storing transcripts on your server, and restricting file sharing and ticket form usage.
- Integration check: Scrutinize third-party integrations for compliance.
- Access control: Establish IP-restricted addresses and robust password policies for agent logins.
- BAA agreement: Sign a business associate agreement available under the qualified threshold.
These actions are essential for protecting the security and privacy of your customers’ health information within the LiveChat app.
Hosting your LiveChat within a US-based data center is essential to adhere to HIPAA’s mandates about keeping personal health information within the US. Therefore, make sure that your LiveChat license is established in our US data center. If you are uncertain, our support team is available 24/7 to assist and provide you with any necessary information regarding your current data center’s location.
By default, LiveChat widget allows customers to send the transcript of their conversation to any email address they provide. However, for HIPAA and PCI compliance purposes, you should restrict customers from emailing chat transcripts by disabling this option as follows:
- Access the Customization section in your Chat widget settings.
- Scroll down to the Additional tweaks section of your chat widget customization.
- From the list of available tweaks, switch off the Let customers get chat transcripts option. This will prevent your customers from sending the transcript of their conversation to a chosen email address.
Once this adjustment is made, your Chat window will enhance the security of your customer interactions to align with HIPAA and PCI standards.
Now, let’s focus on adjusting the LiveChat app settings for your agents.
Text, Inc. does not directly ensure and handle your HIPAA and PCI compliance. You must manually configure your LiveChat solution so that all personal health information is kept entirely and managed securely on your end:
Your self-setup process involves a few steps that contribute to safeguarding your customer’s personal health information within the LiveChat app and the chat widget, ensuring your compliance with HIPAA and PCI guidelines:
- Setting up automated chat transcript anonymization or deletion of chat transcripts immediately after every conversation.
- Storing chat transcripts directly on your server.
- Reviewing and adjusting your LiveChat integrations for compliance.
- Deactivating the ticket form available to your customers and website visitors.
- Disabling file sharing for your agents.
- Limiting access to your LiveChat app to specific locations.
- Enforcing a strong password policy for your agents.
Enable the chat anonymization feature by setting up automated chat transcript anonymization. This maintains your access and allows full advantage of LiveChat’s reporting tools capabilities while adhering to HIPAA and PCI standards.
To set it up, go to the LiveChat Marketplace, select the Chat Anonymization app, and select Install. Once this step is completed, it will ensure all archived chat transcripts are anonymized automatically.
If you prefer not to keep chat transcripts and not to use LiveChat reporting, activate an automatic deletion for each conversation upon its end. This requires setting up a webhook that deletes chats once they end.
- First, go to the Webhooks section of your Manage apps settings.
- Select Add a webhook.
- Configure it to trigger at the end of a chat. You will be prompted with a new webhook configurator. Select chat ends as the webhook event from the list of available settings.
- Select chat, visitor, and pre_chat_survey as the webhook’s data type and insert the URL provided for chat removal in the webhook’s settings into the Target URL section:
- To finalize, select Add a webhook.
Automatically deleting chat transcripts helps protect your customer’s information and reduces the risk of data breaches on your side.
However, if you prefer to keep chat records, you can opt to store the data exclusively on your end. For guidance on how to do this, refer to the section Set up the storage of chat transcripts on your server, detailed further in our guide.
The LiveChat app allows you to integrate your license with various third-party solutions. Although these integrations enhance everyday work, you may share your customers’ personal health information with add-ons that might not adhere to HIPAA and PCI guidelines.
To avoid such situations, we advise you to check your installed integrations. You can find them on the LiveChat Marketplace under the Installed section and remhttps://www.livechat.com/help/link-livechat-with-other-services-using-zapier/ove any that don’t meet the standards.
This step is vital for maintaining the privacy and security of your customer data.
How do you do that?
- First, visit the LiveChat Marketplace.
- Navigate to the Installed section.
- Here, you can check which integrations your LiveChat is linked to. If you decide that some integrations are not HIPAA- and PCI-compliant, you can uninstall them from your account. To do that, select one of your installed integrations.
- On the next screen, select Uninstall app under the ellipsis menu.
- All that is left is to check whether your LiveChat is linked with third party software via webhooks, like Zapier. To do that, visit the Webhooks section of your Integrations settings again.
- Check which webhooks your LiveChat is linked to, and if there’s software that is not HIPAA- and PCI-compliant, simply hover your mouse over the webhook’s address and select Delete.
It’s important to note that if you or your agents choose to use AI features in LiveChat, such as AI-generated chat summaries, this may result in data processing and storage by our AI partners, who act as sub-processors selected in line with our Data Processing Addendum. Understanding this aspect of data handling is crucial, particularly for HIPAA compliance requirements, since these partners have their own data retention policies that may not always align with HIPAA standards. As such, we strongly advise that you carefully review their data practices before using AI features in LiveChat to ensure your compliance with HIPAA regulations.
Set up your server to collect chat transcripts from LiveChat directly. This automated process ensures that you have full control over the management of your customers’ personal health information after chat conversations end.
For efficient and direct transfer of chat transcripts to your server, we strongly recommend using webhooks, which provide immediate updates, allowing systems to receive information as soon as an event occurs. Alternatively, there is also an option for transcripts forwarding. Please note that transcripts are processed through our email service provider in this case.
Deactivating the ticket form in your LiveChat widget prevents customers and website visitors from submitting offline messages, thereby avoiding the collection of their sensitive information when agents are offline. This feature, a part of the older LiveChat version available until June 1, 2023, can be turned off for HIPAA compliance by following these simple steps:
- Navigate to the Ticket form section within your Forms settings.
- While there, deactivate the ticket form on your LiveChat license. If you’re using the Groups feature, please check if you’re using the ticket form on different groups as well.
- Save the changes made to your ticket form section.
Once you save these changes, the ticket form is inactive, thereby safeguarding against the processing of any personal health information left by customers during agent downtime.
Please note that you and your agents can still use the built-in ticketing system in LiveChat app, which enables your customer and website visitors to leave messages when agents are offline. However, remember that all communications sent via the ticketing system are processed through our email service provider.
To stop your agents from sharing files (sending and receiving):
- First, access the File sharing section within your Chat settings.
- Uncheck the option for both agents and visitors to prevent file exchanges. Remember to select Save changes.
This action effectively stops file sharing, ensuring that your agents, customers, and website visitors will not receive or send any data files that can cause you a breach of the HIPAA and/or PCI regulations.
Another step you need to take is to restrict access to your LiveChat app, so that your agents can log in only from a specific location. This can be done by setting up a list of allowed IP addresses in your LiveChat’s security settings.
- Go to the Access restriction section of your LiveChat’s Security settings.
- Select the using the specific IP addresses. List the IPs you wish to authorize in the text area, like your office’s IP.
- Select Save changes to finalize.
And that’s it! This configuration ensures that your agents can only log in to your LiveChat account from these approved locations, and you can rest assured that your account won’t be accessed from unverified locations.
Setting up a strict password policy for your agents should be a mandatory concern for your company’s security policy. The good practice would be to inform your agents that their passwords should contain at least six signs, with special characters mixed with numbers, and capital and lowercase letters.
In addition, you can enhance security further by enabling one of the advanced login methods we offer, like 2-step verification with Google or Single Sign-on (SSO). This will ensure that agents use a more secure login process.
For 2-step verification with Google:
- First, proceed to the 2-Step verification section of your LiveChat’s Security settings.
- While there, select Log in with Google to link LiveChat with your Google Account.
- After linking, select Use Google Account with 2-Step Verification to log in. To apply your new password policy, select Save changes.
Now whenever your LiveChat agents try to log in to LiveChat, they will need to use the sign in with the Google option. And that will make their login process much more secure!
For businesses handling customer personal health information, it’s advisable to sign a business associate agreement (BAA) with us, mandated by HIPAA. For more details on qualifying for BAA, please refer to our pricing page here or reach out at email@example.com.
If you’d like to learn more about what steps you should take to self-configure your LiveChat solution for HIPAA and PCI compliance, feel free to initiate a chat or contact us at firstname.lastname@example.org. Our sales team is ready to assist you with the BAA process and help adjust your LiveChat to meet your HIPAA requirements.