Prepare LiveChat app and widget for HIPAA and PCI standards

Text, Inc. is dedicated to supporting your compliance with HIPAA regulations by offering exclusive features that let you configure your LiveChat app and widget for HIPAA and PCI purposes.

We have prepared this guide to assist you in customizing your LiveChat app and Chat Widget to meet HIPAA and PCI standards.

Here are the key steps in getting your LiveChat Agent app and Chat Widget ready for HIPAA and PCI regulations:

1. US data center hosting: Ensure your LiveChat is hosted in our US data center to comply with HIPAA’s territorial data requirements. If you’re not sure where your account is hosted, please reach out to our support team to get a confirmation.
2. Chat window configuration: Disable chat transcripts sharing in the Customization section to enhance privacy.
3. LiveChat app settings for agents: Enhance privacy by adjusting settings to anonymize or delete chat transcripts, storing transcripts on your server, and restricting file sharing and ticket form usage. 
4. Integration check: Scrutinize third-party integrations for compliance.
5. Access control: Establish IP-restricted addresses and robust password policies for agent logins.
6. BAA agreement: Sign a business associate agreement available under the qualified threshold.

These actions are essential for protecting the security and privacy of your customers’ health information within the LiveChat app.

1. Make sure your LiveChat account is hosted in the US data center in compliance with HIPAA

Hosting your LiveChat within a US-based data center is essential to adhere to HIPAA’s mandates about keeping personal health information within the US. Therefore, make sure that your LiveChat license is established in our US data center. If you are uncertain, our support team is available 24/7 to assist and provide you with any necessary information regarding your current data center’s location.

2. Conduct a self-configuration of your chat window for HIPAA compliance

By default, LiveChat widget allows customers to send the transcript of their conversation to any email address they provide. However, for HIPAA and PCI compliance purposes, you should restrict customers from emailing chat transcripts by disabling this option as follows:

1. Access the Customization section in your Chat widget settings.

2. Scroll down to the Additional tweaks section of your chat widget customization.

3. From the list of available tweaks, switch off the Let customers get chat transcripts option. This will prevent your customers from sending the transcript of their conversation to a chosen email address.

Once this adjustment is made, your Chat window will enhance the security of your customer interactions to align with HIPAA and PCI standards. 

Now, let’s focus on adjusting the LiveChat app settings for your agents.

3. Change your LiveChat app settings for agents to align with HIPAA Standards

Text, Inc. does not directly ensure and handle your HIPAA and PCI compliance. You must manually configure your LiveChat solution so that all personal health information is kept entirely and managed securely on your end: 

Your self-setup process involves a few steps that contribute to safeguarding your customer’s personal health information within the LiveChat app and the chat widget, ensuring your compliance with HIPAA and PCI guidelines:

• Setting up automated chat transcript anonymization or deletion of chat transcripts immediately after every conversation.
• Storing chat transcripts directly on your server.
• Reviewing and adjusting your LiveChat integrations for compliance.
• Deactivating the ticket form available to your customers and website visitors.
• Disabling file sharing for your agents.
• Limiting access to your LiveChat app to specific locations.
• Enforcing a strong password policy for your agents.

Setting up automated chat transcript anonymization once each chat conversation ends

Enable the chat anonymization feature by setting up automated chat transcript anonymization. This maintains your access and allows full advantage of LiveChat’s reporting tools capabilities while adhering to HIPAA and PCI standards.

To set it up, go to the LiveChat Marketplace, select the Chat Anonymization app, and select Install. Once this step is completed, it will ensure all archived chat transcripts are anonymized automatically.

Set up automatic deletion of chat transcripts after every chat

If you prefer not to keep chat transcripts and not to use LiveChat reporting, activate an automatic deletion for each conversation upon its end. This requires setting up a webhook that deletes chats once they end.

To set this up:

1. First, go to the Webhooks section of your Manage apps settings.

2. Select Add a webhook.

3. Configure it to trigger at the end of a chat. You will be prompted with a new webhook configurator. Select chat ends as the webhook event from the list of available settings.

4. Select chat, visitor, and pre_chat_survey as the webhook’s data type and insert the URL provided for chat removal in the webhook’s settings into the Target URL section:

https://helpers.livechatinc.com/remove-chats/

5. To finalize, select Add a webhook.

Automatically deleting chat transcripts helps protect your customer’s information and reduces the risk of data breaches on your side.

However, if you prefer to keep chat records, you can opt to store the data exclusively on your end. For guidance on how to do this, refer to the section Set up the storage of chat transcripts on your server, detailed further in our guide.

Review your LiveChat integrations for compliance

The LiveChat app allows you to integrate your license with various third-party solutions. Although these integrations enhance everyday work, you may share your customers’ personal health information with add-ons that might not adhere to HIPAA and PCI guidelines. 

To avoid such situations, we advise you to check your installed integrations. You can find them on the LiveChat Marketplace under the Installed section and remove any that don’t meet the standards.

Don’t forget to examine any third-party connections set up through Webhooks, like those with Zapier, and delete non-compliant ones from the Webhooks settings section.

This step is vital for maintaining the privacy and security of your customer data. 

How do you do that?

1. First, visit the LiveChat Marketplace.

2. Navigate to the Installed section.

3. Here, you can check which integrations your LiveChat is linked to. If you decide that some integrations are not HIPAA- and PCI-compliant, you can uninstall them from your account. To do that, select one of your installed integrations.

4. On the next screen, select Uninstall app under the ellipsis menu.

5. All that is left is to check whether your LiveChat is linked with third party software via webhooks, like Zapier. To do that, visit the Webhooks section of your Integrations settings again.

6. Check which webhooks your LiveChat is linked to, and if there’s software that is not HIPAA- and PCI-compliant, simply hover your mouse over the webhook’s address and select Delete.

It’s important to note that if you or your agents choose to use AI features in LiveChat, such as AI-generated chat summaries, this may result in data processing and storage by our AI partners, who act as sub-processors selected in line with our Data Processing Addendum. Understanding this aspect of data handling is crucial, particularly for HIPAA compliance requirements, since these partners have their own data retention policies that may not always align with HIPAA standards. As such, we strongly advise that you carefully review their data practices before using AI features in LiveChat to ensure your compliance with HIPAA regulations.

Set up the storage of chat transcripts on your server

Set up your server to collect chat transcripts from LiveChat directly. This automated process ensures that you have full control over the management of your customers’ personal health information after chat conversations end. 

For efficient and direct transfer of chat transcripts to your server, we strongly recommend using webhooks, which provide immediate updates, allowing systems to receive information as soon as an event occurs. Alternatively, there is also an option for transcripts forwarding. Please note that transcripts are processed through our email service provider in this case.

Turn off the ticket form in your LiveChat widget for your customers and website visitors

Deactivating the ticket form in your LiveChat widget prevents customers and website visitors from submitting offline messages, thereby avoiding the collection of their sensitive information when agents are offline. This feature, a part of the older LiveChat version available until June 1, 2023, can be turned off for HIPAA compliance by following these simple steps:

1. Navigate to the Ticket form section within your Forms settings.

2. While there, deactivate the ticket form on your LiveChat license. If you’re using the Groups feature, please check if you’re using the ticket form on different groups as well.

3. Save the changes made to your ticket form section.

Once you save these changes, the ticket form is inactive, thereby safeguarding against the processing of any personal health information left by customers during agent downtime.  

Please note that you and your agents can still use the built-in ticketing system in LiveChat app, which enables your customer and website visitors to leave messages when agents are offline. However, remember that all communications sent via the ticketing system are processed through our email service provider.

Disable the option to send and receive files by your agents

To stop your agents from sharing files (sending and receiving):

1. First, access the File sharing section within your Chat settings.

2. Uncheck the option for both agents and visitors to prevent file exchanges. Remember to select Save changes.

This action effectively stops file sharing, ensuring that your agents, customers, and website visitors will not receive or send any data files that can cause you a breach of the HIPAA and/or PCI regulations.

Limit your LiveChat app’s access to specific locations

Another step you need to take is to restrict access to your LiveChat app, so that your agents can log in only from a specific location. This can be done by setting up a list of allowed IP addresses in your LiveChat’s security settings. 

Here’s how:

1. Go to the Access restriction section of your LiveChat’s Security settings.

2. Select the using the specific IP addresses. List the IPs you wish to authorize in the text area, like your office’s IP.

3. Select Save changes to finalize.

And that’s it! This configuration ensures that your agents can only log in to your LiveChat account from these approved locations, and you can rest assured that your account won’t be accessed from unverified locations.

Set up the password policy for your agents

Setting up a strict password policy for your agents should be a mandatory concern for your company’s security policy. The good practice would be to inform your agents that their passwords should contain at least six signs, with special characters mixed with numbers, and capital and lowercase letters.

In addition, you can enhance security further by enabling one of the advanced login methods we offer, like 2-step verification with Google or Single Sign-on (SSO). This will ensure that agents use a more secure login process.

For 2-step verification with Google:

1. First, proceed to the 2-Step verification section of your LiveChat’s Security settings.

2. While there, select Log in with Google to link LiveChat with your Google Account.

3. After linking, select Use Google Account with 2-Step Verification to log in. To apply your new password policy, select Save changes.

Now whenever your LiveChat agents try to log in to LiveChat, they will need to use the sign in with the Google option. And that will make their login process much more secure!

4. Signing a business associate agreement

For businesses handling customer personal health information, it’s advisable to sign a business associate agreement (BAA) with us, mandated by HIPAA. For more details on qualifying for BAA, please refer to our pricing page here or reach out at sales@livechat.com.

LiveChat HIPAA compliant: What’s next?

If you’d like to learn more about what steps you should take to self-configure your LiveChat solution for HIPAA and PCI compliance, feel free to initiate a chat or contact us at sales@livechat.com. Our sales team is ready to assist you with the BAA process and help adjust your LiveChat to meet your HIPAA requirements.