Is Intercom HIPAA Compliant?

TL;DR

• Intercom is a customer service platform offering omnichannel messaging. The platform is only fully compliant with HIPAA to organizations subscribed to the ‘Expert’ plan.
• It is possible to handle sensitive data such as PHI within Intercom provided you configure your Intercom plan appropriately, and train employees on HIPAA’s Privacy Rule.
• Intercom will sign a BAA with covered entities and business associates, a necessary component of HIPAA compliance.
• Despite various security features, the use of Intercom to handle sensitive data and PHI presents certain compliance risks, particularly in terms of unauthorized access and insider threats. To improve the safeguarding of sensitive PHI within Intercom, healthcare organizations are advised to use a Data Leak Prevention solution.
• Strac Intercom DLP automatically detects and redacts sensitive information within Intercom conversations, reducing incidents of internal data breaches and effectively mitigating compliance risks.

The Challenge of Handling Sensitive Data on Intercom

Intercom is a customer service platform offering a convenient omnichannel messaging tool. As a platform that enables customer communications, Intercom presents certain data security challenges and compliance risks to healthcare organizations. In the US, consumer privacy laws and legislation such as the Health Insurance Portability and Accountability Act (HIPAA) enforce strict privacy and data security standards around the handling and safeguarding of Protected Health Information (PHI).

Intercom offers omnichannel messaging, meaning customers can initiate help desk conversations via email, SMS, live chat and social media platforms. Although omnichannel messaging offers convenience, it also presents risks in terms of maintaining HIPAA compliance. The challenge arises because customers frequently include sensitive data such as PHI within Intercom messages. 

This risk is further complicated by Intercom’s design, which is intended to improve the performance of large support teams. To do this Intercom features collaborative workspaces and automated workflows, which increase compliance issues and the risk of internal data leaks.     

Is Intercom HIPAA Compliant?

It's important to consider that Intercom is not HIPAA-compliant straight out of the box. Although the use of Intercom has its compliance risks, the good news is that Intercom can be configured to be HIPAA compliant.

Intercom’s HIPAA policies, procedures and controls are deemed to comply with the requirements of the HIPAA Security rule and HITECH breach notification rule. Furthermore, Intercom is willing to sign a Business Associate Agreement (BAA) upon request.

Note that, the controls and functionalities needed to achieve HIPAA compliance on Intercom are only available to organizations subscribed to Intercom’s ‘Expert’ plan. These features include access control such as customizable roles, and SSO authentication.

Software Configuration and User Training

A crucial aspect of HIPAA compliance when using Intercom lies in proper software configuration and ongoing workforce training. While Intercom’s ‘Expert’ plan provides enhanced security features, it is the organization’s responsibility to ensure these features are configured correctly.

Importance of User Training

HIPAA’s Security Rule mandates that staff members be trained on policies and procedures that protect PHI. Training should include how to handle incoming messages containing PHI, best practices for using Intercom’s collaborative tools, and instructions for promptly flagging or redacting PHI if it appears in unsecured message threads. 

A well-structured training program reduces human error and helps maintain consistent compliance.

Technical Configuration

Organizations also need to configure Intercom’s security settings to meet HIPAA standards:

• Role-based access: Limit user permissions so only authorized individuals can view or handle PHI.
• Single Sign-On (SSO): Enable enterprise-grade SSO for stronger access control.
• Session timeouts: Configure automatic logouts after a period of inactivity.
• Audit logs: Maintain detailed audit trails of who accessed or modified PHI and at what time.

Properly configuring Intercom — and pairing it with a DLP solution that detects and redacts sensitive data in real time — is an effective way to ensure HIPAA compliance.

Is Intercom HIPAA Compliant: Protecting Privacy: Automatic Redaction in Action

Other Considerations When Using Intercom

Even when Intercom is configured for HIPAA compliance, additional factors can influence data security and privacy:

1. Data Retention Policies
   Healthcare entities should implement data retention guidelines and ensure that PHI is stored only as long as necessary. Automated deletion rules or reminders for purging old customer support tickets help minimize the risk of unauthorized disclosures.
2. Infrastructure Security
   While Intercom has robust infrastructure, organizations must also ensure the surrounding environment (such as network security and endpoint protection) meets HIPAA requirements.
3. Ongoing Monitoring and Audits
   HIPAA requires ongoing risk assessments and monitoring to identify potential weaknesses. Continuous audits can reveal if any Intercom settings have drifted from enforced policies or if employees are bypassing protocols.
   
   • Strac’s Integrations can connect multiple platforms for holistic compliance monitoring across the organization.

Is Intercom HIPAA Compliant: Strac Integrations

Can You Store Patient Data or PHI in Intercom?

As with other cloud-based software applications, storing patient data and PHI in Intercom carries some risk. But, as mentioned, Intercom can be used to store patient data and PHI provided your organization is subscribed to the ‘Expert’ plan.

HIPAA compliance therefore depends on how you configure your Intercom plan. Without features for managing user access to and redacting PHI within Intercom conversations, organizations are at risk of data leaks.

Will Intercom Sign a Business Associate Agreement?

For a cloud service provider to be considered HIPAA compliant, it must sign a BAA with healthcare organizations that intend to use its products to handle and/or process PHI.

Intercom will sign a BAA upon request. Learn more about Intercom’s BAA and ongoing commitment to data security standards,  

Can PHI and Patient Data Be Leaked from Intercom?

Despite various security measures, Intercom is not immune to security threats. There will always be a potential risk of security failures such as data breaches and insider threat incidents.

Although Intercom’s ‘Expert’ plan can be configured to handle PHI in a way that is compliant with HIPAA standards, the way that Intercom operates presents ongoing risks that must be managed. 

For example, Intercom conversations are open to teams working in a collaborative environment. This type of system highlights the need for access controls or a data loss prevention solution that is able to safeguard sensitive PHI in real time. 

Potential Risks of Using Non-HIPAA-Compliant Tools for PHI

When organizations handle Protected Health Information through channels lacking HIPAA-compliant features or without proper safeguards, the risks can be severe.

Data Breaches and Security Vulnerabilities

Non-compliant systems often lack encryption and adequate access controls. This gap can lead to unauthorized access, interception, or theft of sensitive health records. In a remote or hybrid work environment, unsecure messaging tools drastically increase the likelihood of unnoticed data leaks.

Legal and Financial Consequences

Healthcare organizations that violate HIPAA can face substantial fines, ranging up to $50,000 per violation with a maximum annual penalty of $1.5 million. In cases involving willful neglect or repeated offenses, the consequences can be even more severe. Legal costs, settlements, and damage to a provider’s reputation may compound the financial burden.

Loss of Patient Trust

Data breaches erode patient trust and compromise the organization’s standing in the community. Patients expect their personal health data to be handled securely, and a single breach can undermine years of goodwill.

Alternative Communication Platforms That Are HIPAA Compliant

Although Intercom can be configured for HIPAA compliance, some organizations may choose other platforms developed specifically for healthcare needs.

HIPAA-Compliant Messaging Tools

Secure messaging solutions like TigerConnect and OhMD provide role-based access, enterprise-grade encryption, and built-in HIPAA compliance measures. These platforms cater to teams in clinical settings, streamlining patient communication while safeguarding PHI.

Encrypted Communication Platforms for Healthcare

Encrypted communication services allow patients and providers to exchange messages, documents, and any other PHI securely. Platforms such as Rocket.Chat (when configured for HIPAA compliance) and Twilio (with a BAA and secure APIs) offer customization and integration options suitable for clinics and hospitals.

Organizations must still verify that any chosen platform signs a BAA, implements encryption at rest and in transit, and adheres to HIPAA’s Privacy and Security Rules for PHI protection.

Best Practices for Ensuring HIPAA Compliance in Communication

Regardless of the communication platform, certain best practices help organizations maintain HIPAA compliance and strengthen data security:

1. Sign a Business Associate Agreement (BAA)
   Always ensure a BAA is in place with technology vendors that handle PHI, describing their responsibilities for data protection.
2. Configure Security Controls
   Deploy encryption at rest and in transit. Implement access controls, audit logs, and session timeouts to limit unauthorized access.
3. Train and Educate the Workforce
   Regularly train staff on HIPAA-compliant communication protocols, including identifying and safely handling PHI. Emphasize the importance of vigilance in spotting suspicious activity.
4. Regular Risk Assessments and Audits
   Conduct routine security risk analyses to uncover vulnerabilities. Document and remediate any discovered gaps promptly.
5. Implement DLP Solutions
   A robust DLP solution, such as Strac Intercom DLP or the ChatGPT DLP Integration, can automatically detect sensitive data appearing in communication channels and take action to protect it (e.g., redaction or encryption).

Is Intercom HIPAA Compliant: Strac Intercom DLP

By adhering to these best practices and selecting a platform that supports these measures, organizations can effectively mitigate risks and safeguard PHI in compliance with HIPAA regulations.

How Can Strac Protect Companies from Intercom Data Leaks?

As mentioned, Intercom will sign a BAA agreement and the ‘Expert’ plan can be configured in a way that brings it into compliance with HIPAA. However, Intercom lacks comprehensive Data Loss Prevention functionality meaning there are vulnerabilities, especially around the use of email protocol for conversations with customers.

‎Strac's Intercom DLP has two primary modes:

1. Detect only —the Intercom DLP can be configured to automatically discover information contained within conversions. The findings of sensitive tickets are secured in the Strac UI Vault and assigned security and customer support teams get notifications on which they can take action.
2. Redact —after Intercom DLP is configured it can automatically redact sensitive information, including all forms of PHI. Authorized users are able to review and action redacted messages in Strac's UI Vault.

Strac’s Intercom DLP is designed to automatically detect & redact sensitive data contained in Intercom conversations. This capability is part of Strac's broad range of integrations with various platforms, enhancing data protection across your business.

Strac Intercom DLP can be tailored to the unique needs of your organization. You can configure a custom list of sensitive data types, such as SSN, DoB, DL, Passport, Credit & Debit card #, API Keys, that are to be automatically redacted. 

Your security and compliance officers are then able to receive and review audit reports of who accessed sensitive data and when it was accessed. Not only does this system mitigate the risk of data leaks, it brings your handling of PHI within Intercom into full compliance with HIPAA standards.

To learn more about how Strac Intercom DLP ensures HIPAA compliance, checkout Strac Intercom DLP that’s featured on the Intercom App Store.

Book a free 30-minute demo to learn more about Strac's DLP solutions.