HIPAA Compliance

The U.S. Health Insurance Portability and Accountability Act (HIPAA), as amended, including Health Information Technology for Economic and Clinical Health (HITECH) Act, is U.S. federal law that governs the security and privacy of individuals’ protected health information (PHI).

HIPAA mandates that covered entities (healthcare providers, health plans, and healthcare clearinghouses) comply with the regulatory requirements safeguarding PHI. In addition, business associates that perform services for these covered entities that involve the use or disclosure of PHI must provide contractual assurance through a Business Associate Agreement (BAA) that they can adhere to the same security and privacy standards as covered entities.

Since Kustomer is not a holder of the Designated Record Set, nor does it store, transmit, or otherwise process electronic PHI (ePHI) as part of normal business operations, Kustomer is limited to the status of a business associate. The HIPAA requirements for a business associate are met through internal HIPAA audits.

Customers of Kustomer who are subject to HIPAA must review and accept the Kustomer BAA, which certifies that Kustomer is in compliance with HIPAA requirements and will:

  • Provide covered entities and their business associates appropriate security configuration options to ensure the confidentiality, integrity, and availability of ePHI
  • Protect ePHI against reasonably anticipated threats, hazards, and impermissible disclosures
  • Use ePHI only to help covered entities conduct their healthcare functions

Please contact your Kustomer Account Executive if you would like to request the BAA or have any questions on how to set up a HIPAA-enabled account.


Plans


Kustomer Enterprise Subscription (with HIPAA add-on package)

Kustomer Ultimate Subscription (with HIPAA add-on package)


Channels


Kustomer Chat (including Customer Assist and AI Agents)

Kustomer Voice (including AI Agents)

Kustomer SMS (including AI Agents)

Kustomer Web Forms (Email Hooks are not HIPAA Compliant)

Kustomer Gmail (Requires covered entity to sign BAA with Gmail directly)


Apps / Integrations


Third party apps / integrations supported by Kustomer may be HIPAA compliant but require clients to sign a BAA directly with the app provider and confirm with such third party that ePHI is transmitted to/from Kustomer (whether through API’s or webhooks) in a HIPAA compliant manner. Android & iOS Mobile SDKs support HIPAA compliance


Security Configurations


Disclaimer: This document contains Kustomer’s recommendations for the minimum effective security configurations for the protection of PHI within the Kustomer products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor constitutes legal advice. Each client should seek its own legal counsel with regard to its HIPAA compliance requirements and should make the additional changes to its security configurations as warranted, so long as such changes do not counteract or degrade the security of the configurations outlined in this document.

All capitalized terms used in this document shall have the meanings given to them in Kustomer’s Business Associate Agreement (“BAA”).

For clients who have signed Kustomer’s BAA, the following Security Configurations for Kustomer must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):

  1. Secure Agent authentication through enabling one of the Kustomer SSO Authentication options. Utilizing a “single-sign on” solution including Google SSO, Microsoft 365, or your own IDP via SAML and enforcement of the following is required:
    • Multi-factor authentication for all Agent and Admin access via your IDP of choice.
    • Password policy that reflects your organization’s HIPAA requirements.
  2. API Keys
    • Must be restricted to specific CIDR IP addresses with limited authorized roles specific to that API access. Click here for more information.
    • If API access is only required for a limited amount of time, keys must be configured with an expiration date.
    • Create unique tokens for each service / use-case being integrated.
    • Do not share API keys with any third-party unless reasonably required
    • Ensure keys are managed and maintained in accordance with your organization’s relevant Key Management policies and procedures.
  3. The client must set the “Idle Timeout” setting, found under Settings > Administration > Organization, to a maximum of fifteen (15) minutes of agent inactivity.
  4. Clients are responsible for redacting sensitive information prior to correspondence with Kustomer Support. The client acknowledges that Kustomer Support is not responsible for securing email transmissions from End-Users and related Client Materials, prior to being received into the client’s Kustomer instance. This includes any PHI that may be passed through email via replies to Kustomer Support conversations, including but not limited to, messages and attachments.
  5. The client must not use the inline images feature of the platform for sending content with PHI.

Encryption


Data at Rest Data in Transit
Customer data, conversations, messages, custom object data (kobjects), and internal notes. Externally accessible endpoints for our application and APIs.
Search data. Internal service-to-service communications.
Internal log systems. Internal event publish/subscribe communications.
Backup services. AWS resource communications, such as SNS, SQS, and S3 buckets.
Attachment data. Communications with external services, including HIPAA-compliant vendors and business associates.

For more information regarding encryption and how Kustomer secures its system, please refer to the Kustomer Security Datasheet and other documents on the Kustomer Trust Center.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram