How should you configure your Comm100 account for HIPAA Compliance

We have taken the necessary steps to ensure that our policies and procedures for data handling meet HIPAA standards. If you need a HIPAA-compliant service, first, contact us for the account setup. Once we set up the account, you will then have to configure your Comm100 account as below:

Account Security Hardening Configuration

1. Password Policy

• Password must contain at least 8 characters
• Password cannot be the same as the 4 previous passwords
• Password expires in 90 days and must be changed before login
• Check the option: Password must contain three of the four types of characters: uppercase, lowercase, numeric and special (such as $, &, #, @ etc)
• Check the option: Password cannot contain the agent’s username
• Password cannot be changed more than once within 24 hours (optional)
• Check the option: Password cannot be commonly used password phrases, such as 123456, password, and qwerty
• Account will be locked after 6 failed login attempts.

2. IP Restrictions

Only agents from authorized IP or IP range can access Control Panel and Agent Console. Enable this from Global Settings > Security > IP Allowlist.

3. Two-Factor Authentication (2FA)

On successfully setting up the 2FA, agents need to input the six-digit passcode generated by the 2FA authenticator app to log into Comm100 account. The setup is performed by each agent individually, which can be located from lower left corner avatar -> profile name -> Security Settings.

What you need to set up:

1. Auto Logout

If agents are inactive, meaning they don’t have any mouse or keyboard input for a certain time, the system will automatically sign them out of the Agent Console. This is to prevent unwanted access when the App is left open on a device. Set this for each of your agents on the Agent Console Preferences > Global.

2. Disable the Allow visitors to download chat transcripts, Allow visitors to print chat transcripts, and Allow visitors to email chat transcript options.

After disabling the download, print, and email chat transcripts options on the visitor side, visitors will lose access to requests for chat transcripts being sent to their email address(es), print, or download on their system.

3. Disable Automatically email chat transcripts for archiving or followup

4. Disable the permission of sending chat transcripts to specified email address(es) for all non-admins (By default, admins have this permission)

5. If you are using Webhook, all webhook target URL needs to start with https instead of http.

Features that may not be HIPAA compliant

There are some features that your team can use, but they are not HIPAA compliant. To ensure your account abides by the HIPAA standards, advise your team against using them or use only after proper configuration.

1. Agent Chat

Agent Chat enables agents to have 1-1 chats with each other. Although the chat communication is among your team, not your clients, we are not able to avoid agents sharing any PHI information in it.

2. Social and SMS

Social and SMS allow your visitors to reach you via channels of Facebook, Twitter, WeChat, WhatsApp, LINE, Telegram, Instagram, Signal, and SMS. This feature requires you to integrate your Social or SMS accounts with the Comm100 system. Comm100 implemented security & privacy controls to ensure all the systems meet HIPAA compliance requirements. But the fact is that, for an SMS to be HIPAA compliant, both the sender and the recipient should be authorized users of a secure messaging system that enables them to access and transmit ePHI as required. However, currently, almost all SMS messaging platforms aren’t HIPAA Compliant. Most SMS messages are not encrypted, can’t be recalled when delivered to the incorrect recipient, and may be intercepted when using public or open Wi-Fi networks. The same reasons apply to Facebook, Twitter, WhatsApp, LINE, Telegram, Instagram, Signal, and WeChat.

3. Screen Sharing

Screen Sharing allows you to view your visitor’s web browser, application, or entire screen in real-time. Before the visitor agrees to share their screen, the system will notify them to select the appropriate screen where no confidential or sensitive information is displayed.

4. Ticketing

The ticketing system provides you with a convenient way of client communication. This service requires you to integrate email accounts with the Comm100 system. Communications between you and your clients are done by emails that may contain ePHI. For each email, it may cross the Internet multiple times and it’s stored on at least four different machines (sender’s workstation, sender’s email server, recipient’s email server, and recipient’s workstation), which makes it quite difficult to properly secure it.

Generally, free and internet-based webmail services (Gmail, Hotmail, AOL) are not secure for the transmission of ePHI, so you should not use these services. You should use business email platforms like G Suite and Office 365. If you are determined to use an internet-based email service, ensure to sign a BAA with them. For your recipients, only if they confirm that they want the unencrypted email (after you inform them their email client may not be secure), you can send it via a secure email service.

5. Audio & Video Chat

The Audio & Video Chat feature in Comm100 Live Chat enables your agents and your customers to talk over chat at any time.

6. Voice Bot

Voice bots are chatbots operating in voice channels. They can understand speech and talk with people like a human agent. Like chatbots, voice bots can run automated chat flows for various purposes, put data into your Customer Relationship Management (CRM) and transfer calls to the appropriate agents.