HIPAA Compliance

The U.S. Health Insurance Portability and Accountability Act (HIPAA), as amended, including Health Information Technology for Economic and Clinical Health (HITECH) Act, is U.S. federal law that governs the security and privacy of individuals’ protected health information (PHI).

HIPAA mandates that covered entities (healthcare providers, health plans, and healthcare clearinghouses) comply with the regulatory requirements safeguarding PHI. In addition, business associates that perform services for these covered entities that involve the use or disclosure of PHI must provide contractual assurance through a Business Associate Agreement (BAA) that they can adhere to the same security and privacy standards as covered entities.

Since Kustomer is not a holder of the Designated Record Set, nor does it store, transmit, or otherwise process electronic PHI (ePHI) as part of normal business operations, Kustomer is limited to the status of a business associate. The HIPAA requirements for a business associate are met through internal HIPAA audits.

Customers of Kustomer who are subject to HIPAA must review and accept the Kustomer BAA, which certifies that Kustomer is in compliance with HIPAA requirements and will:

• Provide covered entities and their business associates appropriate security configuration options to ensure the confidentiality, integrity, and availability of ePHI
• Protect ePHI against reasonably anticipated threats, hazards, and impermissible disclosures
• Use ePHI only to help covered entities conduct their healthcare functions

Plans

Kustomer Enterprise Subscription
Kustomer Ultimate Subscription

Apps / Integrations

Kustomer AWS Connect Voice (Requires covered entity sign BAA with AWS)
Kustomer Chat
Kustomer Gmail App (Requires covered entity sign BAA with Gmail directly)
Kustomer Web & Form Hooks (Email Hooks are not HIPAA Compliant)

Mobile SDKs

Kustomer Android Mobile SDK version 0.1.31 or later
Kustomer iOS Mobile SDK version 0.1.38 or later

Security Configurations

To review our security configuration requirements for HIPAA Enabled Accounts, please note below (note that our security configurations may change from time to time due to changes in law and regulation and changes to the Kustomer Service). For further security information, please contact security@kustomer.com. Please contact your Kustomer account executive if you would like to request the BAA or have any questions on how to set up a HIPAA-enabled account.

All capitalized terms used in this document shall have the meanings given to them in Kustomer’s Business Associate Agreement (“BAA”).

For subscribers who have signed Kustomer’s BAA, the following Security Configurations for Kustomer must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):

1. Secure Agent authentication through enabling one of the Kustomer SSO Authentication options. Utilizing an external “single-sign on” solution including SAML providers or Google SSO and enforcement of the following is required:

a. 2-factor authentication within the selected solution for all Agent and Admin access.
b. Password policy that meets complexity, age, length and reuse that protects accounts from misuse.

2. API Keys

a. Must be restricted to specific CIDR IP addresses with limited authorized roles specific to that API access.
b. If API access is only required for a limited amount of time, keys must be configured with an expiration date.
c. Create unique tokens for each service / use-case being integrated.
d. Do not share API keys with any third-party unless reasonably required
e. Acknowledge that if an API key is shared with a third-party, and the Subscriber is (i) made aware of a third-party data breach, the Subscriber will rotate the associated key immediately; (ii) and at a minimum, rotate the key once every one hundred and eighty (180) days

3. The Subscriber must set the “Idle Timeout” setting, found under Settings > Administration > Organization, to a maximum of fifteen (15) minutes of agent inactivity.

4. The Subscriber must systematically enforce, on all Agents, Admins, and Owners accessed endpoints, a password-locked screensaver or startup screen set to engage at a maximum of fifteen (15) minutes of system inactivity.

5. The Subscriber acknowledges that Kustomer Support is not responsible for securing email transmissions from End-Users and related Service Data, prior to being received into the Subscriber’s Kustomer Support instance. This includes any PHI that may be passed through email via replies to Kustomer Support conversations, including but not limited to, messages and attachments.

6. Mobile notifications that allow conversation comments to appear on lock screens of devices must be disabled unless push notification preview customization functionality is used to redact ePHI.

7. The Subscriber must not use the inline images feature of the platform for sending content with PHI.

Disclaimer: Due to changes in law or regulation or changes in the Kustomer Service, the security configurations in this document may change from time to time. This document contains Kustomer’s recommendations for the minimum effective security configurations for the protection of PHI within the Kustomer products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor constitutes legal advice. Each Kustomer subscriber should seek its own legal counsel with regard to its HIPAA compliance requirements and should make the additional changes to its security configurations as warranted, so long as such changes do not counteract or degrade the security of the configurations outlined in this document.

Encryption

Data is encrypted for all data stored at rest using AES-256, this includes:

• All data stored within our database including customers, conversations, messages, kobjects (custom object data), and internal notes.
• All search data
• All internal log systems
• Backups Services
• All Attachment Data

Data is encrypted in transit using AES-256 for all internal and external services including:

• All externally accessible endpoints to our application / apis
• All internal service to service communication
• All internal event publish/subscribe communication
• All AWS resource communication including SNS, SQS, S3 buckets
• All external service communication to/from HIPAA-compliant vendors / business associates

Related Security Product Features

Audit Logs – Queryable Audit Logs for all users of your Kustomer Account