When is a chatbot HIPAA-compliant?

Chatbots have become ubiquitous, largely due to the popularity of messaging platforms (Messenger, Whatsapp) and the advancements in artificial intelligence and deep learning.

Chatbot companies have been popping up like mushrooms (intercom.com, drift.com, manychat.com, just to mention a few).

These companies allow deploying chatbots on different media, mostly Web pages and Facebook Messenger, but also to other media like Whatsapp or SMS.

But are these chatbots HIPAA-compliant? Or can they be easily made to be HIPAA-compliant?

The answer is NO, due to several reasons.

A key reason for most of the media — including SMS, Messenger and Whatsapp — is that these media are not HIPAA-compliant. For example, employees at Facebook may be able to read your Messenger messages, or the messages may be stored in an unencrypted format there. SMS messages are transmitted in unencrypted format, and also can be accessed relatively easy (not password-protected) if one has access to the mobile phone.

This basically leaves Web bots as the only ones that may potentially be HIPAA-compliant.

For Web bots to be HIPAA-compliant, the chatbot platform must follow all HIPAA requirements, like encryption in-transit and at-rest, strong passwords, training for employees, and so on.

At the time this blog was written, searching through public internet pages, we could only locate a single company that offers HIPAA-compliant chatbots, SmartBot360. Specifically, SmartBot360 has a very informative page on how they achieve HIPAA-compliant chatbots across several media.