Olark is a cloud-based live chat solution that enables businesses to interact with customers through their websites. Many healthcare organizations use chat platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with HIPAA compliant platforms.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Olark states that it is not currently HIPAA compliant and does not have a process in place to sign a BAA with its customers.
What is Olark?
Olark provides a chat and messaging tool that helps organizations deliver support, drive sales, and capture leads. Chats can be easily automated and transcribed and, according to the website, are accessible by design. The platform also integrates easily with other platforms, such as help desks and customer relationship management platforms (CRMs), including Salesforce and Google Analytics.
Moreover, Olark can be situated to provide customers with live or artificial intelligence (AI)-powered assistance, depending on their needs.
SEE ALSO: Is ChatBot HIPAA compliant?
Is Olark considered a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Olark and its ability to be HIPAA compliant. Olark is a business associate of a healthcare organization if any PHI, like a name or appointment date, is shared in a chat.
Olark and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2020 blog, we stated that Olark would not sign a BAA for its healthcare customers. On a web page that addresses HIPAA, Olark stated, “We believe that your coverage under our Terms of Service provides protection comparable with a reasonable BAA (business associate agreement).”
The company then adds that it does “not have a process in place to sign them on a customer by customer basis at this time.” The web page is still accessible; Olark will still not sign a BAA.
RELATED: How to know if you're a business associate
Olark, chat messaging, and data security
While HIPAA doesn't explicitly mention chat technology, it does impose rules for protecting sensitive patient data. Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. With the increasing importance of data privacy and security, healthcare vendors that collect, store, or process PHI are subject to HIPAA regulations.
Chat options are great at opening a direct communication line with potential and current patients. Many website and chat tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls. While Olark believes that its services provide reasonable HIPAA coverage, its terms of service seem to contradict this.
According to its terms, “Olark will not be liable in any way to End Users, either directly or indirectly. As between Olark and you, you are responsible for ensuring that End Users do not communicate information in violation of law using the Service, and for advising them against transmitting sensitive information using the Service, including but not limited to health/medical information or personally identifiable information of minors.”
In other words, Olark is not responsible for any PHI involved in a breach.
LEARN ABOUT: The best HIPAA compliant live chat options
Is Olark HIPAA compliant?
The BAA is a necessary component of HIPAA compliance and Olark will still not sign a BAA for healthcare customers.
Conclusion: Olark may not be HIPAA compliant.
Understanding HIPAA compliance
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Kapua Iao
