Pricing
Go to app
User Name
Upgrade Help Center

LiveChat: HIPAA and PCI compliance

Wojciech Pollok
11 min read
updated: May 8, 2024

Text, Inc. is dedicated to supporting your compliance with HIPAA regulations by offering exclusive features that let you configure your LiveChat app and widget for HIPAA and PCI purposes.

We have prepared this guide to assist you in customizing your LiveChat app and Chat Widget to meet HIPAA and PCI standards.

All features allowing you to prepare your LiveChat for HIPAA and PCI compliance regulations are available for customers bound by Business Associate Agreement. Learn more about BAA.
All features allowing you to prepare your LiveChat for HIPAA and PCI compliance regulations are available for customers bound by Business Associate Agreement. Learn more about BAA.

Make your chat HIPAA compliant!

Here are the key steps in getting your LiveChat Agent app and Chat Widget ready for HIPAA and PCI regulations:

  1. US data center hosting: Ensure your LiveChat is hosted in our US data center to comply with HIPAA’s territorial data requirements. If you’re not sure where your account is hosted, please reach out to our support team to get a confirmation.
  2. Chat window configuration: Disable chat transcripts sharing in the Customization section to enhance privacy.
  3. LiveChat app settings for agents: Enhance privacy by adjusting settings to anonymize or delete chat transcripts, storing transcripts on your server, and restricting file sharing and ticket form usage. 
  4. Integration check: Scrutinize third-party integrations for compliance.
  5. Access control: Establish IP-restricted addresses and robust password policies for agent logins.
  6. BAA agreement: Sign a business associate agreement available under the qualified threshold.

These actions are essential for protecting the security and privacy of your customers’ health information within the LiveChat app.

1. Make sure your LiveChat account is hosted in the US data center in compliance with HIPAALink icon

Hosting your LiveChat within a US-based data center is essential to adhere to HIPAA’s mandates about keeping personal health information within the US. Therefore, make sure that your LiveChat license is established in our US data center. If you are uncertain, our support team is available 24/7 to assist and provide you with any necessary information regarding your current data center’s location.

2. Conduct a self-configuration of your chat window for HIPAA complianceLink icon

By default, LiveChat widget allows customers to send the transcript of their conversation to any email address they provide. However, for HIPAA and PCI compliance purposes, you should restrict customers from emailing chat transcripts by disabling this option as follows:

  1. Access the Customization section in your Chat widget settings.

LiveChat HIPAA compliant: go to the chat widget settings

  1. Scroll down to the Additional tweaks section of your chat widget customization.

LiveChat HIPAA compliant: go to the additional tweaks

  1. From the list of available tweaks, switch off the Let customers get chat transcripts option. This will prevent your customers from sending the transcript of their conversation to a chosen email address.

LiveChat HIPAA compliant: disable the Let your customer receive a chat transcript

Once this adjustment is made, your Chat window will enhance the security of your customer interactions to align with HIPAA and PCI standards. 

Now, let’s focus on adjusting the LiveChat app settings for your agents.

3. Change your LiveChat app settings for agents to align with HIPAA StandardsLink icon

Text, Inc. does not directly ensure and handle your HIPAA and PCI compliance. You must manually configure your LiveChat solution so that all personal health information is kept entirely and managed securely on your end: 

Your self-setup process involves a few steps that contribute to safeguarding your customer’s personal health information within the LiveChat app and the chat widget, ensuring your compliance with HIPAA and PCI guidelines:

Setting up automated chat transcript anonymization once each chat conversation endsLink icon

Enable the chat anonymization feature by setting up automated chat transcript anonymization. This maintains your access and allows full advantage of LiveChat’s reporting tools capabilities while adhering to HIPAA and PCI standards.

To set it up, go to the LiveChat Marketplace, select the Chat Anonymization app, and select Install. Once this step is completed, it will ensure all archived chat transcripts are anonymized automatically.

Set up automatic deletion of chat transcripts after every chatLink icon

If you prefer not to keep chat transcripts and not to use LiveChat reporting, activate an automatic deletion for each conversation upon its end. This requires setting up a webhook that deletes chats once they end.

Remember, activating the webhook that will automatically delete each chat conversation will turn off your chat-related reports, as they depend on these conversation records.
Remember, activating the webhook that will automatically delete each chat conversation will turn off your chat-related reports, as they depend on these conversation records.

To set this up:Link icon

  1. First, go to the Webhooks section of your Manage apps settings.

LiveChat HIPAA compliant: go to Webhooks section of your Integrations settings

  1. Select Add a webhook.

LiveChat HIPAA compliant: click on Add a Webhook

  1. Configure it to trigger at the end of a chat. You will be prompted with a new webhook configurator. Select chat ends as the webhook event from the list of available settings.

LiveChat HIPAA compliant: choose chat ends as the webhook event

  1. Select chat, visitor, and pre_chat_survey as the webhook’s data type and insert the URL provided for chat removal in the webhook’s settings into the Target URL section:
https://helpers.livechatinc.com/remove-chats/

LiveChat HIPAA compliant: configure your data settings and target URL address

  1. To finalize, select Add a webhook.

LiveChat HIPAA compliant: click on Add a Webhook to finalize

Automatically deleting chat transcripts helps protect your customer’s information and reduces the risk of data breaches on your side.

However, if you prefer to keep chat records, you can opt to store the data exclusively on your end. For guidance on how to do this, refer to the section Set up the storage of chat transcripts on your server, detailed further in our guide.

Review your LiveChat integrations for complianceLink icon

The LiveChat app allows you to integrate your license with various third-party solutions. Although these integrations enhance everyday work, you may share your customers’ personal health information with add-ons that might not adhere to HIPAA and PCI guidelines. 

To avoid such situations, we advise you to check your installed integrations. You can find them on the LiveChat Marketplace under the Installed section and remove any that don’t meet the standards.

Don’t forget to examine any third-party connections set up through Webhooks, like those with Zapier, and delete non-compliant ones from the Webhooks settings section.

This step is vital for maintaining the privacy and security of your customer data. 

How do you do that?

  1. First, visit the LiveChat Marketplace.

LiveChat HIPAA compliant: visit your LiveChat’s Marketplace

  1. Navigate to the Installed section.

LiveChat HIPAA compliant: go to Installed section available under Manage section

  1. Here, you can check which integrations your LiveChat is linked to. If you decide that some integrations are not HIPAA- and PCI-compliant, you can uninstall them from your account. To do that, select one of your installed integrations.

LiveChat HIPAA compliant: choose one of your installed integrations

  1. On the next screen, select Uninstall app under the ellipsis menu.

LiveChat HIPAA compliant: uninstall your 3rd party integration

  1. All that is left is to check whether your LiveChat is linked with third party software via webhooks, like Zapier. To do that, visit the Webhooks section of your Integrations settings again.

LiveChat HIPAA compliant: go to Webhooks section of your Integrations settings

  1. Check which webhooks your LiveChat is linked to, and if there’s software that is not HIPAA- and PCI-compliant, simply hover your mouse over the webhook’s address and select Delete.

LiveChat HIPAA compliant: delete your webhook

It’s important to note that if you or your agents choose to use AI features in LiveChat, such as AI-generated chat summaries, this may result in data processing and storage by our AI partners, who act as sub-processors selected in line with our Data Processing Addendum. Understanding this aspect of data handling is crucial, particularly for HIPAA compliance requirements, since these partners have their own data retention policies that may not always align with HIPAA standards. As such, we strongly advise that you carefully review their data practices before using AI features in LiveChat to ensure your compliance with HIPAA regulations.

Set up the storage of chat transcripts on your serverLink icon

Set up your server to collect chat transcripts from LiveChat directly. This automated process ensures that you have full control over the management of your customers’ personal health information after chat conversations end. 

For efficient and direct transfer of chat transcripts to your server, we strongly recommend using webhooks, which provide immediate updates, allowing systems to receive information as soon as an event occurs. Alternatively, there is also an option for transcripts forwarding. Please note that transcripts are processed through our email service provider in this case.

Implementing webhooks that retrieve and process the transcripts of your chats might require technical knowledge. If needed, consider one of our certified experts!
Implementing webhooks that retrieve and process the transcripts of your chats might require technical knowledge. If needed, consider one of our certified experts!

Turn off the ticket form in your LiveChat widget for your customers and website visitorsLink icon

Deactivating the ticket form in your LiveChat widget prevents customers and website visitors from submitting offline messages, thereby avoiding the collection of their sensitive information when agents are offline. This feature, a part of the older LiveChat version available until June 1, 2023, can be turned off for HIPAA compliance by following these simple steps:

  1. Navigate to the Ticket form section within your Forms settings.

LiveChat HIPAA compliant: go to Ticket form available under Chat surveys & forms

  1. While there, deactivate the ticket form on your LiveChat license. If you’re using the Groups feature, please check if you’re using the ticket form on different groups as well.

LiveChat HIPAA compliant: toggle off the switch responsible for Ticket form

  1. Save the changes made to your ticket form section.

LiveChat HIPAA compliant: save changes to your Ticket form

Once you save these changes, the ticket form is inactive, thereby safeguarding against the processing of any personal health information left by customers during agent downtime.  

Please note that you and your agents can still use the built-in ticketing system in LiveChat app, which enables your customer and website visitors to leave messages when agents are offline. However, remember that all communications sent via the ticketing system are processed through our email service provider.

If you’re using HelpDesk tickets, you can disable the ticket form in the HelpDesk app settings. If you’re not, add the best ticketing system to your LiveChat tool!
If you’re using HelpDesk tickets, you can disable the ticket form in the HelpDesk app settings. If you’re not, add the best ticketing system to your LiveChat tool!

Disable the option to send and receive files by your agentsLink icon

To stop your agents from sharing files (sending and receiving):

  1. First, access the File sharing section within your Chat settings.

LiveChat HIPAA compliant: go to File sharing available under Chat settings

  1. Uncheck the option for both agents and visitors to prevent file exchanges. Remember to select Save changes.

LiveChat HIPAA compliant: deselect the for agents and visitors options and Save Changes

This action effectively stops file sharing, ensuring that your agents, customers, and website visitors will not receive or send any data files that can cause you a breach of the HIPAA and/or PCI regulations.

Limit your LiveChat app’s access to specific locationsLink icon

Another step you need to take is to restrict access to your LiveChat app, so that your agents can log in only from a specific location. This can be done by setting up a list of allowed IP addresses in your LiveChat’s security settings. 

Here’s how:

  1. Go to the Access restriction section of your LiveChat’s Security settings.

LiveChat HIPAA compliant: go to the Access restriction section of Security settings

  1. Select the using the specific IP addresses. List the IPs you wish to authorize in the text area, like your office’s IP.

LiveChat HIPAA compliant: provide the list of IP addresses that can access LiveChat

  1. Select Save changes to finalize.

LiveChat HIPAA compliant: apply IP addresses by clicking on Save Changes

And that’s it! This configuration ensures that your agents can only log in to your LiveChat account from these approved locations, and you can rest assured that your account won’t be accessed from unverified locations.

Set up the password policy for your agentsLink icon

Setting up a strict password policy for your agents should be a mandatory concern for your company’s security policy. The good practice would be to inform your agents that their passwords should contain at least six signs, with special characters mixed with numbers, and capital and lowercase letters.

In addition, you can enhance security further by enabling one of the advanced login methods we offer, like 2-step verification with Google or Single Sign-on (SSO). This will ensure that agents use a more secure login process.

For 2-step verification with Google:

  1. First, proceed to the 2-Step verification section of your LiveChat’s Security settings.

LiveChat HIPAA compliant: go to the 2-Step verification section of Security settings

  1. While there, select Log in with Google to link LiveChat with your Google Account.

LiveChat HIPAA compliant: click on the Log in with Google button

  1. After linking, select Use Google Account with 2-Step Verification to log in. To apply your new password policy, select Save changes.

Now whenever your LiveChat agents try to log in to LiveChat, they will need to use the sign in with the Google option. And that will make their login process much more secure!

LiveChat HIPAA compliant: click on the Sign in with Google

4. Signing a business associate agreementLink icon

For businesses handling customer personal health information, it’s advisable to sign a business associate agreement (BAA) with us, mandated by HIPAA. For more details on qualifying for BAA, please refer to our pricing page here or reach out at sales@livechat.com.

LiveChat HIPAA compliant: What’s next?Link icon

If you’d like to learn more about what steps you should take to self-configure your LiveChat solution for HIPAA and PCI compliance, feel free to initiate a chat or contact us at sales@livechat.com. Our sales team is ready to assist you with the BAA process and help adjust your LiveChat to meet your HIPAA requirements.

Was this article helpful?

Got it!

Thanks for your feedback.

Thank you!

We’re happy to help.

RELATED ARTICLES

Prepare your chat for GDPR!

Making LiveChat GDPR compliant is our number one priority, that is why we prepared a short article that will help you adjust your chat window as well!

Read the article

LiveChat: Sub-Processors

Hereby we declare that we are dedicated to delivering you the best quality products. To ensure that we use certain Sub-Processors (third-party processing tools). Below you can find more information about Sub-Processors selection criteria and our quality assurance. Sub-processing and Text, Inc. By Sub-Processor, we mean the third-party processor that we use to facilitate the delivery of our products. Text Inc. engages Sub-Processors, among which is its affiliated entity, TEXT S.

Read the article

Start using LiveChat now!

Free 14-day trial AI-driven features No credit card required

Still not convinced? Discover all LiveChat features

Discover text| products: