We handle support tickets and if you're a healthcare company, those support tickets may contain PHI and are subject to HIPAA regulations. This article will help you understand the options Pylon provides to maintain HIPAA compliance.

Do you need HIPAA compliance?

Before you even embark on the journey of tightening up Pylon for HIPAA compliance, ask yourself, do you even need Pylon to be HIPAA compliant?

Understand whether PHI is actually transferred over support tickets, or whether your customers can submit tickets without PHI. If not, you can save yourself the time and headache of tightening up Pylon. Otherwise, feel free to read on.

Signing a BAA

Because we're a sub-processor of yours you will need to sign a BAA with us. We provide a BAA for Enterprise tier customers and are happy to sign one with you so that you're covered under HIPAA. Reach out to your AE or CSM for details.

Data Controls

Sometimes PHI comes into Pylon that you don't want in our system. We have granular redaction mechanisms to help you remove that data. See this article for more details: 📄 How does message redaction work for protecting PII?

HIPAA Compliant Email

Email is not necessarily a HIPAA compliant communication channel. Here's a handful of things to keep in mind and do before it can become compliant. And of course, don't take a random help article as gospel, you should always consult your lawyer.

Your Email Provider

First off, for email to be compliant on your end, you must sign a BAA with your email provider i.e. Google or Microsoft. These are readily available if you search for this online.

Your Sub-processor's Email Provider

On your customer/vendor/partner's side, if you pass PHI to them, then they must also sign a BAA with their email provider. The exception here is if they're the data subject or insurance provider, they don't need to release liability to their own data.

Technically after signing a BAA with a sub-processor you are not responsible for their HIPAA compliance. In practice though, you probably don't want to expose yourself to extra risk if your sub-processor's email provider is not covered.

Emails in transit

Now in between you and your sub-processor, you need to ensure the transfer of PHI is HIPAA compliant. To do this, emails must be TLS encrypted. Both your email client and your customer's email client must have this enabled.

Thankfully the vast majority of email clients weren't built in the stone age and do this by default. Unfortunately some healthcare systems were set up in the stone age, so its still a possibility (looking at you clinic that set up its mailserver in the 90s 👀).

Here's where Pylon comes in. Before we send an email, we ping your customer's mailserver to check TLS is enabled. If it is, we safely send the email with PHI. If they don't have TLS enabled, we can move on to the Customer Portal flow.

Customer Portal for Non-Compliant Customers

1) If your customer does not have TLS enabled, or 2) if they do not have BAAs with their email provider, then you can use our HIPAA-compliant email flow.

For this flow to work, you must have the Customer Portal enabled. What this entails is when you reply to an email, instead of putting the body in the reply, we instead post the reply to the Customer Portal and send an email forwarding them to login to the portal to see your reply. In doing so, no PHI ever hits their non-compliant email client and therefore the whole flow stays HIPAA compliant. Spectacular.

Let us know if you need us to turn this on.