Healthcare organizations are under constant pressure to improve patient communication and reduce administrative burden. Live chat helps with both - but only if the implementation meets HIPAA's requirements for handling protected health information. This guide covers what you need to know before you deploy, and what to look for in a vendor.

Note: This post covers general compliance considerations and is not legal advice. Consult your organization's legal and compliance team before deploying any system that handles PHI.

What Counts as PHI in a Chat Context

Protected Health Information (PHI) under HIPAA is any individually identifiable health information related to a patient's past, present, or future health condition, healthcare provision, or payment for healthcare. In a chat context, PHI is more common than most teams realize.

PHI in Chat - Handle with Care

  • Patient name combined with health condition
  • Appointment date/time + diagnosis
  • Insurance member ID or claim number
  • Prescription information
  • Test results or lab values
  • Symptoms described in detail
  • Medical record numbers
  • Billing information tied to services
  • Provider names + patient information

Generally Not PHI

  • Office hours inquiry
  • General insurance questions (not tied to a patient)
  • Directions to a facility
  • General health education questions
  • Website navigation assistance
  • Job application inquiries
  • Anonymous symptom checker (no identity)
  • Appointment availability (general, not tied to patient)
Common Misunderstanding

A patient's name alone is not PHI. An appointment time alone is not PHI. But a patient's name combined with their appointment date, or a patient name combined with any mention of health condition or treatment, becomes PHI. Chat transcripts that contain "John Smith has an appointment with Dr. Patel on March 15" are PHI - even if no medical details are discussed.

The BAA Requirement

If your live chat platform stores, processes, or transmits PHI, the vendor is a Business Associate under HIPAA. That means you must have a signed Business Associate Agreement (BAA) with them before going live with any patient-facing chat.

A BAA obligates the vendor to:

โš–๏ธ
HIPAA fines for operating without a BAA range from $100 to $50,000 per violation (per individual patient record affected), with annual maximums of $1.9 million per violation category. A single unsecured chat session involving a patient's name and diagnosis could constitute multiple violations.

"The BAA is not a formality. It's the legal mechanism that defines who is responsible for what when something goes wrong. Operating without one - even with a reputable vendor - leaves your organization holding full liability for any breach."

Encryption: At Rest vs. In Transit

HIPAA requires "reasonable and appropriate" safeguards, which the healthcare industry has broadly interpreted to mean encryption. Understanding the difference between the two types of encryption matters when evaluating vendors:

Encryption in transit

This means chat messages are encrypted while moving between the customer's browser, the vendor's servers, and your agent's screen. TLS 1.2 or higher is the minimum standard. Almost all reputable chat platforms offer this. It's table stakes, not a differentiator.

Encryption at rest

This means stored chat transcripts are encrypted on the vendor's servers when no one is actively accessing them. AES-256 encryption is the standard. This is where many chat platforms fall short - they encrypt in transit but store transcripts in plaintext or with weaker encryption. Any platform you use for healthcare chat must encrypt data at rest.

When evaluating vendors, ask specifically: "What encryption standard do you use for data at rest?" and "Can you provide documentation of your encryption implementation?" A vendor that can't answer this question clearly is not ready for healthcare deployments.

Audit Logging Requirements

HIPAA's Security Rule requires covered entities and their business associates to maintain records of who accessed PHI and when. For live chat, this means:

Many general-purpose chat platforms offer basic access logs but don't provide the granular per-record audit trails required for HIPAA compliance. Ask to see a sample audit report before committing to a platform.

Velaro's HIPAA package includes a signed BAA, AES-256 encryption at rest, and full audit logging. Starting at $2,000/month.

Talk to Our Healthcare Team

What to Ask Vendors Before You Deploy

HIPAA Vendor Evaluation Checklist

Will you sign a BAA? If the vendor says they offer HIPAA compliance but won't sign a BAA, that's a disqualifier. The BAA is the minimum legal requirement.
What encryption do you use for data at rest? The answer should be AES-256 or equivalent. "We use encryption" is not a sufficient answer.
Where is data stored? Data sovereignty matters. Some healthcare organizations require US-based data storage. Confirm the vendor's data center locations and whether storage location can be configured.
Can you provide SOC 2 Type II reports? SOC 2 Type II certification demonstrates that the vendor's security controls have been independently tested over time, not just assessed once.
How are breaches handled? What is the vendor's breach notification process? How long do they take to identify and notify you? HIPAA requires notification to covered entities within 60 days of breach discovery.
Do subprocessors also comply with HIPAA? If the chat platform uses third-party services for storage, analytics, or processing, those subprocessors must also comply. Ask for a list of subprocessors and their compliance status.
What are the audit log capabilities? Can you run a report showing who accessed a specific transcript and when? Is that data exportable for compliance review?
What is the data retention and deletion policy? Can you delete specific records (for patient right-of-erasure requests)? Can you set automatic retention limits?

Designing Chat Flows That Minimize PHI Exposure

Even with a compliant platform, good chat flow design reduces PHI exposure and limits your risk surface:

Keep pre-chat forms minimal

Pre-chat forms that ask for date of birth, medical record number, or diagnosis create PHI before the conversation even starts. Collect only what's needed to route the conversation. A first name and the nature of the inquiry (scheduling, billing, general) is usually enough.

Use secure messaging for sensitive exchanges

For conversations that will involve detailed health information - test results, medication lists, clinical documentation - consider a secure messaging portal rather than a standard chat widget. Secure messaging portals require patient authentication before any content is accessible, providing a stronger compliance posture than a public-facing chat widget.

Configure bot flows to avoid PHI collection

If your bot handles appointment scheduling, it doesn't need to ask about the patient's diagnosis. "What type of appointment?" is usually sufficient for routing. Train bot flows to collect the minimum necessary information - the HIPAA "minimum necessary" standard applies to automated data collection as well as human access.

Velaro's HIPAA Package

Velaro offers a HIPAA-compliant configuration starting at $2,000/month, which includes:

The HIPAA package is designed for hospitals, health systems, specialty practices, healthcare software companies, and any organization that handles patient data. The base live chat, bot, and routing capabilities are identical to the standard platform - the HIPAA package adds the compliance infrastructure layered on top.

More on Velaro's healthcare capabilities and chat benchmarks for the healthcare vertical in the live chat benchmarks guide.

The Bottom Line

HIPAA-compliant live chat is not about finding a vendor willing to sign a BAA - almost any vendor will sign one. It's about verifying that the underlying platform actually implements the technical safeguards HIPAA requires: AES-256 encryption at rest, granular audit logging, role-based access controls, and compliant data retention policies.

Before deploying any chat platform in a healthcare environment, run every vendor through the checklist above. The right vendor will answer every question directly and provide documentation. Any hesitation should disqualify them.

Frequently Asked Questions

What does HIPAA require for live chat?

HIPAA requires that any live chat platform handling PHI must have a signed Business Associate Agreement with the vendor, implement AES-256 encryption at rest and TLS encryption in transit, maintain audit logs for 6 years, enforce role-based access controls, and have a documented breach notification process.

Is Intercom or Zendesk HIPAA compliant for live chat?

Both Intercom and Zendesk offer BAA agreements on enterprise plans only. However, signing a BAA does not guarantee full technical compliance - both platforms have known gaps in granular audit logging and retention controls for PHI-specific use cases. Healthcare teams should evaluate each platform's specific technical safeguards, not just BAA availability.

What is PHI in a live chat context?

PHI (Protected Health Information) in chat includes any combination of patient identity and health data: a name paired with an appointment date, an insurance member ID, prescription details, lab results, or symptoms discussed with a provider. A patient name alone is not PHI, but combined with any health-related context it becomes PHI requiring full HIPAA protection.

Can a chatbot handle HIPAA-covered conversations?

Yes, but the bot must operate on a HIPAA-compliant platform and be configured to collect only the minimum necessary information. Bot flows should avoid asking for diagnosis, medical record numbers, or detailed health history unless required for routing. All bot interactions must be logged and stored under the same safeguards as human agent conversations.

How long do HIPAA audit logs need to be retained?

HIPAA's Security Rule requires audit logs to be retained for a minimum of 6 years from the date of creation or the date when it was last in effect. For live chat, this means every record of agent access to PHI-containing transcripts must be preserved and retrievable for at least 6 years.