Best Practices For HIPAA Compliant Messaging and Chat

Every day, more people chat to talk to friends, family members, and acquaintances. Besides convenience, instant messaging and chat services also provide an additional layer of security. Thus, this additional layer of security makes using those services attractive for doctors, healthcare facilities, clearinghouses, and other organizations who need to communicate sensitive data with their patients and clients.

But no matter how compliant a messaging app or chat service to the guidelines in the Health Insurance Portability and Accountability Act (HIPAA) is, most of them still have the risk of experiencing data breaches. That’s why there are still essential steps you might want to take to make those messages as secure as possible.

This article looks at those steps and other precautions you should consider and take whenever using HIPAA compliant messaging and chat services.

What Is HIPAA?

HIPAA is a US law that imposes requirements on organizations to take measures in safeguarding the medical information of their clients. Under the HIPAA Privacy Rule, all patient medical records, primarily Electronic Protected Health Information (EPHI), are protected under federal law. EPHI is identifiable health information transmitted or maintained electronically.

HIPAA compliance is mandatory if a covered entity organization intends to communicate with their clients that may involve EPHI through chat, email, and any digital form of communication. The term ‘covered entities’ refers to health care clearinghouses, health plans, and healthcare providers that transmit any patient information electronically.

To prevent getting your organization in trouble because of HIPAA complaints or incidents, you may want to follow these ten practices below.

1. Check Whether The App Or Service Meets HIPAA Compliance Standards

The first thing to do is check whether the messaging or chat app you’re using is HIPAA compliant. Remember that even if the developer or service provider says that their software or service is encrypted but don’t mention that it’s HIPAA compliant, don’t use it. Only use apps and services specifically designated as ‘HIPAA-compliant’ that are deemed to meet healthcare organizations’ necessary level of data security.

2. Get Confirmation Of Security Measures By The Developer

It’s also advisable that you confirm the security measures taken by the developer or provider. You can do this by checking their website or contacting them directly with questions regarding how they keep your data secure.

If it’s unclear if your messages are not stored securely, the app or service might not be HIPAA compliant. Stop using it as you might be risking a HIPAA violation if you continue to use it.

3. Limit Employee Access

HIPAA compliance begins with limiting employees’ access to client-related information. This means that they can only access the information they need to perform their job. Because of that, healthcare facilities and all other covered entities should get a messaging or chat solution that can limit and restrict access to select users.

4. Track Message History

To retain HIPAA compliance, you need to record all messages sent and received each day by your healthcare organization. Recorded messages should include the sender’s name, job title, message type (text or photo), sent timestamp, and any contact details. These messages can then be stored and maintained as a record should legal action be required in the future.

5. Encrypt Messages

By default, HIPAA compliant apps should run on an encrypted connection. To further protect your organization’s HIPAA compliance, encryption makes messaging apps and chat services secure. It can ensure third parties can’t access or tap on patient data without the necessary permission.

6. Block Email Forwarding

When it comes to HIPAA compliance, ensure that you prevent employees with access to sensitive information to forward emails outside your organization’s email system. Only a select few should have the privilege to forward or send emails outside your company’s email system.

HIPAA Compliant

7. Business Associate Agreement

Your business partners might need to access EPHI through text messages and chat services for some medical facilities. To give them access without compromising your organization, you can outline a Business Associate Agreement (BAA). A BAA is a non-disclosure agreement (NDA) used by HIPAA compliant organizations.

The BAA establishes that any third parties, such as messaging apps and chat services, should only access patient data for exclusively business-related reasons and should only disclose EPHI when it’s necessary to carry out specific tasks.

8. Audit Trail

To ensure that you maintain HIPAA compliance, organizations should ensure that audit trails are in place. Auditing activity of users means that all messages and chat services should be monitored, with a record of the users who have sent or received sensitive information. Tracking chat logs greatly reduces the risk of HIPAA violations, as it makes it easier to identify any unauthorized access attempts.

9. Disable Chat Transcript Option

Since most web chat is inbound only, you should disable the option for a chat user to request or send a transcript of their conversation. Enabling this option may pose risks to your organization, as it means that patient data could be exposed to a third party.

Additionally, employees must only share EPHI that they’re authorized to use, so make sure that chat transcript options are disabled on all messaging and chat tools. Disabling the chat transcript option prevents sensitive information from being shared outside of your organization’s secure messaging system.

10. Verify Identity Of Chat Users

When it comes to HIPAA compliance, you should only allow access to your chat system by employees who have been verified using various verification systems. Doing so reduces the risk of unauthorized access attempts, as employees must undergo a rigorous authentication process before being granted access to your chat system.


Having a HIPAA-compliant chat system in place can help your organization to share patient data securely. However, having a HIPAA-compliant messaging or chat system alone doesn’t make your organization compliant. These tools can only support organizations in maintaining HIPAA compliance. As such, you must understand what HIPAA-compliant messaging and chat services can do for your organization and how they support your current compliance efforts.

The most important thing you can do is establish a secure messaging policy for your organization. This policy should cover all aspects of your secure messaging system, including technical security features and user authentication. Only with a clear understanding of how to use the technology in a compliant manner will you maintain HIPAA compliance.

Rakesh Babu
Rakesh Babu
Rakesh Babu is a business analyst with a focus on startups. With an MBA and years of experience, he's a go-to source for insights on entrepreneurship. Beyond the business world, Rakesh is a chess aficionado and an amateur astronomer, always curious and seeking new patterns – whether in the stars or the stock market.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream