Using the LiveChat App for HIPAA and PCI Standards: Guidelines for BAA Clients

Ensuring HIPAA and PCI compliance when using LiveChat requires properly configuring security and privacy settings. While Text does not ensure HIPAA compliance on your behalf, we provide a structured set of guidelines to assist our BAA clients in configuring LiveChat and the website widget to meet HIPAA and PCI standards. 

As a BAA client, you are required to implement and maintain all the guidelines, privacy, and security configuration steps defined herein (referred to as “Instructions”) to properly set up your LiveChat Agent App and website widget in alignment with HIPAA and PCI compliance standards. These Instructions are mandatory throughout your subscription term to safeguard sensitive data and ePHI, mitigate security risks, and ensure ongoing regulatory compliance. 

You are responsible for ensuring that your LiveChat configuration adheres to the latest security and privacy standards outlined in this document.  

All necessary settings allowing you to configure LiveChat and the website widget to meet HIPAA and PCI compliance requirements are available exclusively to customers covered by the Business Associate Addendum (BAA). Learn more about BAA.

To ensure that your LiveChat agent app and website widget comply with HIPAA and PCI regulations, follow these configuration steps:

1. US data center hosting: Ensure your LiveChat is hosted in our US data center to meet  HIPAA’s territorial data requirements. If you are unsure where your account is hosted, please contact our support team for confirmation.
2. Website widget configuration: Enhance privacy by disabling chat transcripts sharing in the Customization section. 
3. LiveChat app settings for agents: Strengthen data security by adjusting settings to anonymize or delete chat transcripts, storing transcripts on your own server, and restricting file-sharing usage.
4. Integration check: Scrutinize third-party integrations for compliance.
5. Access control: Implement security measures such as IP-restricted addresses and enforce strong password policies for agent logins.
6. Evaluate AI-related functionalities in LiveChat for healthcare-related activities: Give careful attention to compliance and ethical practices.
7. Manage LiveChat cookies for HIPAA compliance: Enhance privacy with proactive cookie management.
8. BAA agreement: Ensure you have signed a BAA if your organization meets the qualifying criteria. 

These measures are essential for safeguarding the security and privacy of your customers’/visitors’ sensitive health information while ensuring compliance within the LiveChat environment. The following sections will provide a detailed explanation of how each step contributes to securing sensitive data and maintaining adherence to HIPAA and PCI standards.

1. Verify that your LiveChat account is hosted in our US data center in compliance with HIPAA

Hosting your LiveChat within a US-based data center is essential to adhere to HIPAA’s mandates about keeping personal health information within the US. Therefore, ensure your LiveChat license is assigned to the US data center to remain compliant. If you are uncertain, contact our support team (available 24/7) to confirm your hosting location. 

2. Configure your website widget for privacy

By default, LiveChat allows customers to send chat transcripts to an email address of their choice.  However, for HIPAA and PCI compliance, you must disable chat transcript sharing to prevent your customers from sending/emailing chat transcripts to their email addresses and unauthorized transmission of sensitive data.

How do you disable chat transcript sharing? 

1. Access the Customization section in your Chat widget settings.

2. Scroll down to the Additional tweaks section of your chat widget customization.

3. From the list of available tweaks, turn off the Let customers get chat transcripts option. This will prevent your customers from sending the transcript of their conversation to a chosen email address.

Once this setting is applied, customers can no longer send or email chat transcripts, reducing the risk of accidental ePHI exposure.

3. Adjust your LiveChat app settings for Agents

Since Text doesn’t directly manage HIPAA and PCI compliance on your behalf, it is your responsibility to manually configure agent settings to ensure secure data handling on your end. 

Key security self-setup adjustments: 

• Anonymizing chat transcripts: Set up automated chat transcript anonymization or enable automatic chat transcript deletion immediately after each chatting session to prevent long-term storage of sensitive conversations.
• Storing data locally: Redirect chat transcripts to your own server using webhooks for local data storage.
• Restrict file sharing: Disable file transfers during chats to prevent unauthorized data exchange.

How do you enable chat transcript anonymization whenever a chat conversation ends?

Set up automated chat transcript anonymization to enable the chat anonymization feature. This will maintain your access and allow you to fully take advantage of LiveChat’s reporting tools while adhering to HIPAA and PCI standards.

To set it up, visit the LiveChat Marketplace, install the Chat Anonymization app. Once you complete this step, all archived chat transcripts will be anonymized automatically.

How do you enable automatic chat transcript deletion after every chat?

Automatically deleting chat transcripts helps protect your customer’s information and reduces the risk of data breaches on your side. However, please note that this action will prevent chat-based reports from working.

To proceed, go to the LiveChat Marketplace, install the Chat Deletion app, and that’s it. No additional steps are required. From now on, your conversations will disappear completely after they conclude.

Alternatively, if you prefer to retain chat records, you must store them securely on your own servers using LiveChat webhooks. For guidance on how to do this, refer to the section Set up the storage of chat transcripts on your server, detailed further in our guide.

Redirect chat transcripts to be stored on your own servers using webhooks

Set up your server to collect chat transcripts directly from LiveChat. This automated process ensures that you have full control over managing your customers’ personal health information after chat conversations end. 

For efficient and direct transfer of chat transcripts to your server, we strongly recommend using webhooks, which provide immediate updates, allowing systems to receive information as soon as an event occurs. Alternatively, there is also an option for transcript forwarding. Please note that transcripts are processed through our email service provider in this case.

Implementing webhooks that retrieve and process the transcripts of your chats might require technical knowledge. If needed, consider one of our certified experts!

How do you disable file sharing to prevent ​​your agents from sending and receiving files?

To prevent your agents and customers/visitors from exchanging files during chats (sending and receiving):

1. First, access the File sharing section within your Chat settings.

2. Uncheck the option for both agents and visitors to prevent file exchanges. Remember to select Save changes.

This action effectively stops file sharing, ensuring that your agents, customers, and website visitors won’t receive or send any data files that can cause you a breach of the HIPAA and/or PCI regulations.

4. Review and adjust your third-party integrations for compliance

The LiveChat app allows you to integrate your license with various third-party applications. Although these integrations enhance everyday work, you may share your customers’/visitors’ personal health information with add-ons that might not adhere to HIPAA and PCI standards. 

To avoid such situations, we advise you to: 

1. Audit installed integrations: Verify all your existing integrations in your LiveChat account to ensure they meet HIPAA or PCI compliance standards. You can find them on the LiveChat App under the Apps -> Your apps section. 
2. Verify data access: In the App Terms section of each application, review the scopes to determine what data existing integrations can access within your LiveChat account. Granting permissions for third-party applications to access your LiveChat account data may affect your entire license. Always carefully verify HIPAA/PCI compliance when accepting scopes of data access. 
3. Uninstall non-compliant integrations: Uninstall any apps that do not meet HIPAA/PCI standards.) 
4. Review webhook connections and examine any third-party connections set up through webhooks, like those with Zapier, and disable non-compliant third-party API integrations from the Automate with webhooks settings section.

This step is vital for maintaining the privacy and security of your customer data.

How do you audit installed integrations?

1. Go to the LiveChat Apps section.

2. Navigate to the Your apps section and choose your integration.

How do you verify data access?

1. First follow How do you audit installed integrations?

2. Enter the app settings. Select the ellipsis button on the right-hand side and choose Open in Marketplace.

3. In the Marketplace view, navigate to the App Terms section and review the listed scopes to determine the type of data third-party applications can access. This is crucial to ensure that some integrations comply with HIPAA and PCI standards.

How do you remove non-compliant integrations?

1. First follow How do you audit installed integrations?

2. If you decide that some integrations are not HIPAA/PCI-compliant, you can uninstall them from your account. To do that, select one of your installed integrations and then Settings.

3. On the next screen, select Uninstall under the ellipsis menu.

How do you remove non-compliant webhooks connections?

Check whether your LiveChat is linked with third-party software via webhooks, like Zapier. To do that, navigate to the Automate with webhooks section of your Apps section again.

Identify which webhooks your LiveChat is linked to, and if there’s software that is not HIPAA/PCI-compliant, simply hover your mouse over the webhook’s address and select the trash can icon.

5.  Implement access control measures

To enhance security, limit access to your LiveChat app, using: 

• IP-based restrictions — Allow logins only from approved locations.
• Strong password policies — Enforce strict agent login credentials.
• Two-factor authentication (2FA) — Secure login access with multi-step verification.

How do you restrict login access to specific IP addresses?

This can be done by setting up a list of allowed IP addresses in LiveChat’s security settings. 

1. Select the Access restrictions section of LiveChat’s Security settings.

2. Select using specific IP addresses. Enter authorized IP addresses (such as company office IP).

3. Click Save changes to finalize.

And that’s it! This configuration ensures that your agents can only log in to your LiveChat account from these approved locations, and you can rest assured that your account won’t be accessed from unverified locations.

How do you enforce a strong password policy for your agents?

Setting up a strict password policy for your agents should be a mandatory concern for your company’s security policy. The good practice would be to inform your agents that their passwords should contain at least six signs, with special characters mixed with numbers, and capital and lowercase letters.

In addition, you can enhance security further by enabling one of the advanced login methods we offer, like 2-step verification with Google or Single Sign-on (SSO) for secure authentication. This will ensure that agents use a more secure login process.

For 2-step verification with Google:

1. First, proceed to the Login settings section of your LiveChat’s Security settings. Select Go to login settings.

2. While there, select Google to link LiveChat with your Google Account.

3. Select Connect your Google account.

4. Select Save changes. You will be redirected to the Google login page to connect your account.

Now, whenever your LiveChat agents try to log in to LiveChat, they must use the Log in with Google option. And that will make their login process much more secure!

6. Evaluate AI-related functionalities in LiveChat for healthcare-related activities

Using eligible AI features within LiveChat — namely Reply Suggestions, AI Text Enhancements, and Copilot for healthcare-related purposes requires careful attention to compliance and ethical practices. To ensure these tools meet operational and compliance requirements, particularly when handling ePHI or other sensitive data, we recommend the following best practices:

1. Evaluate AI accuracy
2. Monitor AI performance
3. Understand data processing by AI partners
4. Disclose AI limitations
5. Customize chat windows for consent
6. Restrict AI features usage to authorized personnel

1. Evaluate AI accuracy 

Before employing AI features and any AI content, assess their suitability for managing ePHI or other sensitive data to align your compliance needs, for example, by:

• Testing and validating to confirm the AI’s accuracy and relevance in your healthcare-related scenarios.
• Suitability for ePHI and verifying that the AI features are appropriate for processing your ePHI.

Conduct testing to confirm its accuracy and relevance for healthcare-related scenarios.

2. Monitor AI performance 

Regular reviews of AI-generated content, such as suggestions, communication, and responses are essential to ensure compliance, effectiveness, and operational accuracy: 

• Collect feedback from agents and customers.
• Continuously refine AI models based on performance, feedback, and usage patterns.
• Train your team on how to effectively provide feedback and handle AI limitations.

3. Understand data processing by AI partners 

When using AI features in LiveChat, data may be processed and stored by sub-processors under separate terms and conditions. Understanding this aspect of data handling is crucial since these partners have their own data retention policies. 

Therefore, we strongly advise that you assess the data handling practices of AI partners before using AI features in LiveChat to ensure your compliance with HIPAA. Refer to the LiveChat Sub-Processors list for information about sub-processors and their data practices. 

4. Disclose AI limitations 

Ensure the services are not used as a substitute for professionals, as AI-generated responses and content are not intended to replace the expertise of licensed healthcare professionals. AI features in LiveChat are also not intended for use in any manner that constitutes a medical device under applicable regulations. 

Clearly communicate these limitations to users and potential inaccuracies of AI-generated content, especially when the content relates to advice on health problems, treatments, or other medical information.

• Transparency: Inform users of AI’s limitations and potential inaccuracies, particularly regarding health advice, treatments, or diagnoses, and remember that Text is not responsible for the advice, diagnosis, or treatment plans derived from AI content.
• AI disclaimer example in your chat window: Customize your chat window’s welcome message or chat footer to include AI-related disclaimers, and display this message before the chat starts. For example: “This chat may use AI-generated responses. AI is not a substitute for professional medical advice. Please consult a healthcare professional for specific concerns.” 
• For assistance with customizing consent and disclosure settings, refer to LiveChat’s GDPR Compliance Guide.

5. Customize chat windows for consent

LiveChat supports the customization of chat windows to include specific consent clauses. This ensures your users are aware of data collection and processing practices involved.

• Clearly state the use of AI technologies in chat interactions and explain their purpose.
• Include consent statements in the pre-chat form, such as “I understand that this chat service utilizes AI-generated responses to assist me more promptly,” and detail any data handling practices associated with the use of AI to ensure users are fully informed. For comprehensive guidance, refer to LiveChat’s GDPR Compliance Guide.

6. Restrict AI features usage to authorized personnel only 

To enhance privacy, consider limiting AI feature access to authorized personnel trained and qualified to handle healthcare-related activities.

• Role-based access control: define permissions in your LiveChat security settings. For further details, visit LiveChat’s Agent Account Management Guide.

How do you embed AI feature-specific guidelines into LiveChat?

To ensure AI-powered functionalities comply with security and quality standards, follow these steps for embedding AI feature-specific guidelines into your LiveChat environment:

• Reply suggestions accuracy: AI-powered reply suggestions can improve communication efficiency, but their accuracy and compliance must be actively monitored by the client. Therefore, consider the following steps:

  • Manually review AI-generated replies before sending them to ensure relevance and compliance.
  • Real-time adjustment: Modify AI-generated suggestions in real time if they are inaccurate or unsuitable to align with the query or context.
  • Refer to the Reply Suggestions guide for detailed instructions on accessing and using this feature.

• AI text enhancements: As an agent’s writing assistant, they provide real-time suggestions to improve communication quality and consistency. Ensure their compliance by acknowledging the following:

  • Agent discretion: Enable agents’ discretion by granting them full control over accepting, modifying, or rejecting AI-generated suggestions and tailoring responses to specific contexts and requirements of the interaction.
  • Editing capability: Allow editing to adjust AI-generated text before sending it to a customer.
  • Review process: Before introducing the feature, conduct a manual review of a sample of AI-generated responses to confirm they meet compliance and quality standards.

• AI accuracy in Copilot: Copilot automates responses to streamline customer interactions, but its accuracy must be regularly assessed. To maintain its accuracy:

  • Monitor Copilot’s work: Regularly monitor Copilot’s performance to identify inaccuracies and areas for improvement.
  • Implement Feedback loop: Collect agent and customer feedback to refine AI-generated responses.
  • Review and update AI settings regularly to maintain compliance and improve efficiency.

To maintain compliance and security, review updates to the BAA regularly, conduct ongoing training and monitoring to safeguard ePHI and other sensitive data within LiveChat, and implement proper AI usage. Following these guidelines, you can leverage AI-powered functionalities under the BAA in LiveChat. 

7. Streamline LiveChat cookies management for HIPAA compliance

At Text, we provide tools and settings designed to simplify cookie management while ensuring privacy without burdening you with technical complexities.

Understanding cookie consent and HIPAA compliance

Obtaining clear and informed user consent before collecting any health-related information via cookies is a fundamental requirement under HIPAA compliance. This ensures that users are fully aware of what data is being collected, how it will be used, and who will have access to it, aligning with HIPAA’s stringent patient data privacy standards.

Mitigating risks through proactive cookie management

Here are a few of the best strategies for managing cookies effectively under HIPAA regulations.

1. Assess cookie usage. 

LiveChat cookies are integral for optimizing the functionality of the website widget. They focus on securing interactions, maintaining user sessions, and tailoring user experiences through minimal data collection. This selective data gathering ensures operational effectiveness while adhering to strict privacy standards, minimizing potential HIPAA risks. These cookies facilitate essential service features, ensuring secure and dependable communication on various platforms and aligning with privacy regulations due to their non-intrusive nature.

Moreover, while these cookies primarily enhance user experience and ensure service reliability, some LiveChat cookies may track user interactions for site analysis and improvements. It’s crucial to assess the impact of HIPAA on pages that handle sensitive health information, as this cookie tracking could pose a risk if personal health information is transmitted without explicit consent.

To optimize cookie management and comply with privacy regulations, it’s advised to categorize LiveChat cookies based on their specific roles and functionality. The LiveChat Cookie Banner Guide provides detailed guidance on improving your cookie banner.

Audit your site’s cookie usage regularly to identify any that may capture health-related information, and determine if they are essential and HIPAA-compliant. 

2. Obtain explicit user consent before activating tracking cookies.

Before deploying cookies that may collect health-related data, ensure you secure explicit user consent. This can be achieved by: 

• Modifying your website’s cookie consent mechanism to clearly present an option for users to agree to your data processing practices, compliant with HIPAA guidelines, ensures transparency and user control over their personal information. 
• Enhancing pre-chat forms to include distinct consent options that outline specific types of data collected and their purpose, making sure they use unambiguous language to avoid confusion.

For a comprehensive guide on cookie settings, for example, on how to load a website widget only once cookies are accepted, refer to LiveChat’s Guide on Cookie Consent.

3. Clearly disclose cookie use in your privacy policy.

Clearly disclose in your privacy policy how cookies are used, what data they collect, and who has access to this data. This transparency demonstrates your commitment to building trust with your users and safeguarding their health information in accordance with HIPAA.

8. Business Associate Addendum applicability

If your organization handles ePHI, you must sign an Order Form, which will incorporate the BAA. The BAA is published and available for review at www.livechat.com/legal/baa/.

For more details on qualifying for a BAA, please refer to the LiveChat pricing page or contact sales@livechat.com for eligibility and further assistance.

Need more help? 

For additional guidance on configuring your LiveChat app for HIPAA and PCI compliance, contact us at sales@livechat.com or chat with our support team. We’re here to assist you in tailoring your LiveChat solution to meet your regulatory needs.