Chatbots are taking over the Internet. Websites from every corner of the World Wide Web utilize these services every day. You might even hear that *pop* sound before you see an automated chatbot message appear. With their rise in popularity, it’s essential to know if a chatbot is HIPAA compliant before you add one to the services you provide your patients. Today we are going to determine if Olark is a safe option for healthcare providers to use.
About Olark
Olark is a cloud-based live chat solution that enables businesses to interact with customers through their own websites. Per its website , other features of Olark include analytics, automated messaging, custom chat forms, and integration “with your favorite platforms.”
Olark and business associate agreements
A business associate agreement (BAA) is required for HIPAA compliance. It is a written contract between a covered entity and a business associate . Olark does not currently sign BAAs for customers. As stated on the company's blog :We believe that your coverage under our Terms of Service provides protection comparable with a reasonable BAA (business associate agreement), but do not have a process in place to sign them on a customer by customer basis at this time.
However, per the U.S. Department of Health and Human Services (HHS):
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
In other words, a BAA is a requirement for HIPAA compliance so Olark’s above statements are not enough to ensure HIPAA compliance.
Protected health information and Olark
Protected health information (PHI) is any information that can identify a patient and is used during patient care. Protecting PHI is essential to maintain HIPAA compliance. Olark’s Terms of Service state:Olark will not be liable in any way to End Users, either directly or indirectly. As between Olark and you, you are responsible for ensuring that End Users do not communicate information in violation of law using the Service, and for advising them against transmitting sensitive information using the Service, including but not limited to health/medical information or personally identifiable information of minors.
PHI would be considered sensitive information. Since Olark accepts no responsibility to protect it, this is yet another reason healthcare providers should not partner with Olark.
Conclusion
Olark is not HIPAA compliant because it will not sign a BAA.
Reach your patients directly with Paubox Email Suite
Using Olark to communicate with your patients in a HIPAA compliant manner may not be possible, but you can send HIPAA compliant email directly to your patient’s inboxes with Paubox Email Suite . Paubox Email Suite helps ensure that 100% of the emails you send are secure in transit all the way to your recipient’s inbox, but with the added benefit of making the experience seamless. As soon as the product is configured, all outbound emails will be encrypted. Our product integrates with your existing email platform, (like Google Workspace or Microsoft 365 ), so you won’t have to worry about changing your email workflow to use it. If you’re looking for data loss prevention (DLP) or email archiving , don’t worry — Paubox Email Suite Premium has you covered. Our Premium service also includes inbound security features that block spam emails containing malware, ransomware, and more. In addition, our patented ExecProtect feature offers protection from display email spoofing emails. For a full description of all our service levels, click here .