Is Intercom HIPAA Compliant?

TL;DR

• Intercom is a customer service platform offering omnichannel messaging. The platform is only fully compliant with HIPAA to organizations subscribed to the ‘Expert’ plan.
• It is possible to handle sensitive data such as PHI within Intercom provided you configure your Intercom plan appropriately, and train employees on HIPAA’s Privacy Rule.
• Intercom will sign a BAA with covered entities and business associates, a necessary component of HIPAA compliance.
• Despite various security features, the use of Intercom to handle sensitive data and PHI presents certain compliance risks, particularly in terms of unauthorized access and insider threats. To improve the safeguarding of sensitive PHI within Intercom, healthcare organizations are advised to use a Data Leak Prevention solution.
• Strac Intercom DLP automatically detects and redacts sensitive information within Intercom conversations, reducing incidents of internal data breaches and effectively mitigating compliance risks.

The Challenge of Handling Sensitive Data on Intercom

Intercom is a customer service platform offering a convenient omnichannel messaging tool. As a platform that enables customer communications, Intercom presents certain data security challenges and compliance risks to healthcare organizations. In the US, consumer privacy laws and legislation such as the Health Insurance Portability and Accountability Act (HIPAA) enforce strict privacy and data security standards around the handling and safeguarding of Protected Health Information (PHI).

Intercom offers omnichannel messaging, meaning customers can initiate help desk conversations via email, SMS, live chat and social media platforms. Although omnichannel messaging offers convenience, it also presents risks in terms of maintaining HIPAA compliance. The challenge arises because customers frequently include sensitive data such as PHI within Intercom messages. 

This risk is further complicated by Intercom’s design, which is intended to improve the performance of large support teams. To do this Intercom features collaborative workspaces and automated workflows, which increase compliance issues and the risk of internal data leaks.     

Is Intercom HIPAA Compliant?

It's important to consider that Intercom is not HIPAA-compliant straight out of the box. Although the use of Intercom has its compliance risks, the good news is that Intercom can be configured to be HIPAA compliant.

Intercom’s HIPAA policies, procedures and controls are deemed to comply with the requirements of the HIPAA Security rule and HITECH breach notification rule. Furthermore, Intercom is willing to sign a Business Associate Agreement (BAA) upon request.

Note that, the controls and functionalities needed to achieve HIPAA compliance on Intercom are only available to organizations subscribed to Intercom’s ‘Expert’ plan. These features include access control such as customizable roles, and SSO authentication.

Can You Store Patient Data or PHI in Intercom?

As with other cloud-based software applications, storing patient data and PHI in Intercom carries some risk. But, as mentioned, Intercom can be used to store patient data and PHI provided your organization is subscribed to the ‘Expert’ plan.

HIPAA compliance therefore depends on how you configure your Intercom plan. Without features for managing user access to and redacting PHI within Intercom conversations, organizations are at risk of data leaks.

Will Intercom Sign a Business Associate Agreement?

For a cloud service provider to be considered HIPAA compliant, it must sign a BAA with healthcare organizations that intend to use its products to handle and/or process PHI.

Intercom will sign a BAA upon request. Learn more about Intercom’s BAA and ongoing commitment to data security standards,  

Can PHI and Patient Data Be Leaked from Intercom?

Despite various security measures, Intercom is not immune to security threats. There will always be a potential risk of security failures such as data breaches and insider threat incidents.

Although Intercom’s ‘Expert’ plan can be configured to handle PHI in a way that is compliant with HIPAA standards, the way that Intercom operates presents ongoing risks that must be managed. 

For example, Intercom conversations are open to teams working in a collaborative environment. This type of system highlights the need for access controls or a data loss prevention solution that is able to safeguard sensitive PHI in real time. 

How Can Strac Protect Companies from Intercom Data Leaks?

As mentioned, Intercom will sign a BAA agreement and the ‘Expert’ plan can be configured in a way that brings it into compliance with HIPAA. However, Intercom lacks comprehensive Data Loss Prevention functionality meaning there are vulnerabilities, especially around the use of email protocol for conversations with customers.

‎Strac's Intercom DLP has two primary modes:

1. Detect only —the Intercom DLP can be configured to automatically discover information contained within conversions. The findings of sensitive tickets are secured in the Strac UI Vault and assigned security and customer support teams get notifications on which they can take action.
2. Redact —after Intercom DLP is configured it can automatically redact sensitive information, including all forms of PHI. Authorized users are able to review and action redacted messages in Strac's UI Vault.

Strac’s Intercom DLP is designed to automatically detect & redact sensitive data contained in Intercom conversations. This capability is part of Strac's broad range of integrations with various platforms, enhancing data protection across your business.

Strac Intercom DLP can be tailored to the unique needs of your organization. You can configure a custom list of sensitive data types, such as SSN, DoB, DL, Passport, Credit & Debit card #, API Keys, that are to be automatically redacted. 

Your security and compliance officers are then able to receive and review audit reports of who accessed sensitive data and when it was accessed. Not only does this system mitigate the risk of data leaks, it brings your handling of PHI within Intercom into full compliance with HIPAA standards.

To learn more about how Strac Intercom DLP ensures HIPAA compliance, checkout Strac Intercom DLP that’s featured on the Intercom App Store.

Book a free 30-minute demo to learn more about Strac's DLP solutions.