Guide to the BAA | LiveChat Help Center

If you are considering using any of LiveChat services for medical purposes but are not sure if the information that you plan to collect requires a Business Associate Agreement from you, you’ve come to the right place! Together with our Legal department, we prepared a short guide that should tell you if BAA is something that you should consider signing.

Guide to BAA

When considering signing a Business Associate Agreement, there are two major things that you have to consider:

what is Protected Health Information and whether your company is processing the information that falls under this category;
how to make your LiveChat HIPAA and PCI compliant and why it is worth doing so.

Our guide should provide you with answers to both, as well as few additional tips and tricks that you can use to make the processing of your data more secure.

Note that this guide is to be considered as a general overview of BAA document and information that are covered by it. Before deciding whether to sign a BAA, you have to make sure that the agreement and/or the consent will match your business agenda, based on what data are you processing and for what purpose.

What is Protected Health Information?

Protected Health Information (PHI) is understood as:

any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service, such as a diagnosis or treatment

If you’d like to have access to it, you will be legally bounded to handle customer data in a way that complies with the HIPAA Privacy and Security Rules. Practically, this information includes the physical or mental health condition of an individual at any point in time. Because of that, information like:

demographic information;
medical histories;
mental health conditions;
test and laboratory results;
insurance information;

and other data that a healthcare professional collects to identify an individual and determine appropriate care (including birthdate, medical conditions, ailments, various treatments and outcomes, and health insurance claims) shall be protected under BAA agreement. This is required even if they are transmitted in a limited scope and whether created or received via mediums like verbal, written, electronically, or otherwise.

Which information is defined by PHI?

To put things in layman’s terms, here’s the list of information that would be better to process under the BAA agreement, if your organization already handles or plan to handle any of them in case of service to, or on behalf of, a covered entity that was created, used or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service, such as a diagnosis or treatment:

patient names;
addresses — In particular, anything more specific than a state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes;
dates — Including birth, discharge, admittance, and death dates;
telephone and fax numbers;
email addresses;
social Security numbers;
driver’s License information;
medical record numbers;
health plan beneficiary numbers;
certification/license numbers;
vehicle identifiers and serial numbers, including license plate numbers;
device identifiers and serial numbers;
names of relatives;
internet Protocol (IP) address numbers;
biometric identifiers — including finger and voice prints;
full face photographic images and any comparable images.

Of course, not all personally identifiable information is PHI!

So, when does it happen?

Personal data that are not associated with medical records that could endanger individual security are not considered to be PHI. In other words: data records, despite the fact that they might contain personally identifiable information, do not fall into the category of PHI if they are not linked to health records that could compromise individual security.

To summarize

PHI can appear in a number of different documents, forms and ways of communications depending on the purpose of using them within your organization. Here are a few examples of how they may look like:

billing information from a customer’s doctor;
medication or prescription needs of your customers sent via e-mail to a doctor’s office;
appointment scheduling note with your customer doctor’s office;
phone and chat records with medical records;
others, if related to health care service.

Why is it good to be HIPAA compliant?

So, now that you have established whether you belong to the category of covered entities or business associates, it is also worth knowing why it is good to be HIPAA compliant.

Trust and reputation of your company

Neglecting the HIPAA regulations can cost you the trust of your customer and the reputation of your company. HIPAA sets the US standards of protecting the medical records of individuals, to mitigate the security risks that healthcare data is facing everyday. Anyone who has access to patient information and provides support in treatment, payment, or operations, whether in the category of covered entities, business associates and/or subcontractors, must meet HIPAA compliance and have a physical, network, and security measures in place to ensure HIPAA Compliance.

These responsibilities are aligned with the rights granted to patients by law, for the protection of their healthcare records. Patients entrust their data to healthcare organizations, and having BAA signed helps you with keeping data in the appropriate hands – by strengthening security with logins and entrusting control, with authorized access as well as other procedures.

So, how to ensure the HIPAA compliance of your chat?

At LiveChat, we know how important it is to take proper care of your customers’ medical information. That is why we prepared a short manual that will help you make your chat bot HIPAA and PCI compliant. If you’d like to check it out, click here and we will guide you through the rest!