3 Patient Engagement Tools to Boost Your Bottom Line

Patient Engagement Tools Drive Revenue from Your Existing Patient Base

Turn customer care into sales by educating your existing patients about your full range of products and services. When you engage with patients more often, you not only increase their loyalty, but also open up opportunities to uncover and resolve additional pain points. And it’s surprisingly simple with the right patient engagement tools.

Existing patients might not be aware of all that you have to offer. It’s up to you to guide them. As existing patients surf your site for one service (e.g. types of insurance you take), suggest an additional, helpful product offering — like a complimentary session with an in-house Physical Therapist. Because you’re offering additional value, patients are more likely to respond.

Educate patients about your services and ask them for feedback


Measurable Goal:

Engage with existing patients more often to drive revenue from your existing patient base.


Introduce your existing patients to your products and services anytime they visit your site with patient engagement tools.


Expand product sales to existing patients and provide a more robust patient experience.

Patient Tools Quickstarter Toolkit

  1. Reinforce patient support with Info Capture Bot to enhance your ability to engage with site traffic at all hours. When team members are online, they’ll continue having conversations as usual. When they are offline, the Info Capture Bot will be the front line of defense. You can now boast 24/7 support. 
  2. Seamlessly introduce existing patients to additional services with the chat transfer command. You can enable agents to transfer chats to any department. Because no chat conversation data is lost upon transfer, the receiving agent can pick up right where the previous agent stopped. 
  3. Stay on top of your game with Post-Chat Surveys. You want to know how you’re doing so that you can improve. Surveys offer you learning opportunities to delight patients even more the next time they visit.

3 Patient engagement tools for success recap:


Supplement patient support 24/7/365 with Info Capture Bot. Scale your ability to support traffic, without scaling your support costs.

Make sure the right team can always have the right conversation with the hyper-flexible chat transfer command.

Gather valuable information about your performance with Post-Chat Surveys.

Patient engagement tools help you create systems for enhancing customer value 

Use design thinking methods to build customer loyalty by organizing your business around patient needs. Growth isn’t just measured by new patient acquisition. Look to your existing patient base to drive revenue and foster customer value with a few versatile tools from SnapEngage.

HIPAA-Compliant SMS Opens New Markets

patient virtually communicating with a doctor

Extend Your Reach and Efficiency with HIPAA-Compliant Messaging

HIPAA-compliant SMS offers benefits to healthcare organizations across the board — from new patient acquisition and care to administrative and marketing.

Text messaging is increasingly becoming the preferred method of communication. Americans exchanged over 2 trillion text messages in 2018, a nearly 16% increase year-over-year. Mobile texting has become an expected platform for customer service. Why should healthcare be any different? To attract new patients, you must go to where they are. 

Give your patients a text number so they can text you with questions and scheduling. Update patient information using secure forms, cutting down on the time that patients spend in waiting rooms updating current information, and decreasing front office procedures. SnapEngage HIPAA-compliant messaging can get you there with a few simple tools.

Enhanced communication reaches broader patient markets


Goal: 10% more value delivered via HIPAA-compliant SMS
How: Remove communication hurdles with a HIPAA-compliant SMS line. Patients will feel secure and comfortable throughout their conversation, and younger target groups will feel empowered to reach out more frequently.
Outcome: Appeal to new and more diverse patient markets. Improve staff efficiency with streamlined patient onboarding.

Quickstarter toolkit

  1. Stay secure and compliant with HIPAA-compliant SMS. No cumbersome passwords or portals needed. Patients can save the number in their phone and reach you at their convenience.
  2. Securely request patient data using Audit Logs without the need for an external email service. Patients appreciate a new and innovative way to provide information all in one place. Patients can even send you photos when helpful as your team is trained in HIPAA compliance best practices. Patient information is kept secure, and agents cannot send data or images back to the patient. The process stays within SnapEngage.
  3. Advertise your text number on your website, patient mails, behind patient login and anywhere else patients have access.and provide innovative value requiring minimal effort from patients. Make it easy for patients to reach you. 

Sample workflow

Tools for efficient communication recap

Modernize the patient experience with HIPAA-compliant SMS 
Request confidential information using Audit Logs and give patients peace of mind with secure data transfer
Free advertising of the HIPAA-compliant SMS number


Reach patients where they are

In fact, let them reach you in their single most preferred method of communication — texting. SnapEngage makes it easy for you to stay in front of communication trends with HIPAA-compliant SMS. SnapEngage’s suite of HIPAA-compliant tools humanizes the patient experience, enhances front office efficiency, and extends your reach to fresh, diverse markets. 

Improve Patient Acquisition Rate with Healthcare ROI Tools

How to Get the Most out of Your Marketing Campaigns

Your marketing team has spent time and effort creating targeted campaigns to increase web traffic. More website traffic is always great, but increased patient acquisition is better. Do you know your patient acquisition cost? 

SnapEngage Live Chat allows you to recognize and record where visitors are coming from. So, not only can you give website visitors responding to a specific campaign a more customized experience than anyone else on your site, you can accurately measure the return on your investment.

The only way to improve your marketing campaigns is to know where you stand with your current campaign performance. Whether measuring product conversion or new patient acquisition rate, having accurate data is a critical component in evaluating whether your campaign is effective at meeting measurable goals. 

With a few tools in your toolkit, you can collect that data while rolling out the red carpet with exceptional prospective patient engagement 24/7.

Record where they came from and send them where they need to go

Goal: Report on exact metrics from marketing campaigns and increase patient acquisition rate.
How: Qualified site visitors will receive VIP treatment on their very first visit.
Outcome: Reap the benefits of your targeted campaigns with contextual messaging. Capture ROI metrics and offer a 24/7 seamless chat experience to enhance the results of your marketing efforts.


Quickstarter toolkit

  1. Recognize where site visitors are coming from and trigger a chat with contextual messaging for each specific visitor with Proactive Chat. New visitors to your website are looking for valuable information and to schedule an appointment. 53% of visitors are more likely to do business with an organization that provides chat functionality. Guide them through this process with a strong proactive chat strategy
  2. Capture prospective patient information, even when chat agents are offline or maxed on chats, you’ll never miss a new patient opportunity with Info Capture Bot. Provide the best possible experience while supplementing your chat agent team. All prospect information left with the Info Capture Bot will be automatically sent to your integration for follow-up providing you with valuable ROI metrics and patient acquisition leads.
  3. Have the right agents online at the right time to provide a seamless chat experience and route your prospects where they need to go using Priority Tiers. As your chat requests increase, the system will always scale up to the next tier of agents making them available when they are needed most. Tiers also serve to maximize chat agent skill sets —  The second tier of chat agents can be specialists, engaging with only the most qualified site visitors. 


Sample workflow

Tools for ROI recap

Provide high-touch messaging with Proactive Chat settings
Never miss another connection. Info Capture Bots are an extension of your business.
Provide more cohesive new patient support with Priority Tiers


Build your live chat toolkit

Data measurement helps tie campaign success to your overall business bottom line. You can get your money’s worth from advertising campaigns by converting more patient leads from paid campaigns. With a few simple SnapEngage tools, you can correctly attribute which patients came from where and engage with them contextually so you meet their needs immediately. Tiers with a chatbot mean that chats will only route to the bot when no one is online — essentially providing customized service 24/7/365.

What is the HIPAA Privacy Rule During Coronavirus? (FAQs)

security and privacy over chat

Many healthcare organizations may be confused about the HIPAA Privacy Rule during Coronavirus. To be clear, the HIPAA Privacy Rule — which protects patients’ protected health information (PHI) — is not waived because of the Coronavirus COVID-19 pandemic. 

However, the Office of Civil Rights (OCR) is aware that during an infectious disease outbreak — such as COVID-19 — it may be necessary to disclose a patient’s PHI without their written permission in order to treat them or protect the public health.

Therefore, certain provisions of the HIPAA Privacy Rule regarding the disclosure of patients’ PHI without their written authorization can be waived without sanctions or penalties in specific instances during a national Public Health Emergency. 

Let’s unpack this to answer the most common questions healthcare organizations are asking about when a patient’s PHI can be disclosed without their written authorization during the COVID-19 Public Health Emergency.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects the security and privacy of peoples’ Personal Health Information (PHI). When a patient’s Personal Health Information is in electronic form, it’s called ePHI. 

The HIPAA Privacy Rule provides the standards for healthcare companies to completely protect any PHI or ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors. 

If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA. Otherwise you risk a HIPAA violation which can subject you to fines and penalties.

Can we disclose PHI without patient authorization for treatment purposes?

Yes. Covered entities and business associates are allowed to disclose PHI if it’s necessary to treat the patient — or any other patient — without a patient’s authorization. 

Treatment includes:

  • Coordination and management of healthcare services by one or more healthcare providers
  • Consultation between healthcare providers
  • Referral of patients for treatment

See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), 164.501.

Can we disclose PHI without patient authorization to public authorities?

Yes. Covered entities and business associates may disclose PHI without written authorization to public health authorities such as any local or state health department, the CDC, a foreign government agency that is collaborating with a public health authority, or any person or entity who has been granted authority from or is under contract with a public health agency.

See 45 CFR §§ 164.501 and 164.512(b)(1)(i)

Can we disclose PHI without patient authorization to someone who might have COVID-19?

Yes. If state law or any other relevant law permits, covered entities can disclose PHI without written authorization to anyone who may have been exposed to COVID-19 or is at risk of contracting or spreading COVID-19. They may also disclose PHI to anyone who they believe can prevent or reduce a serious health threat to a person or to the public by receiving the PHI in question.

See 45 CFR §§ 164.512(b)(1)(iv).

Can we disclose PHI without patient authorization to family and friends?

Yes. Covered entities and business associates are allowed to share PHI without written authorization with family, relatives, friends, or any other person involved with the patient’s care. They can also share PHI if they need to when trying to find and notify family members, guardians, or people responsible for the patient — to inform them about a patient’s location, condition, or death. This can even include the police, the press, or public at large if it’s necessary in an emergency situation.

Covered entities should at least try and get verbal permission from patients or be able to reasonably infer that a patient wouldn’t object. But if a patient is incapacitated or not available, covered entities can share PHI if they believe it’s in the patient’s best interest.  

See 45 CFR §§ 164.510(b).  

Can we disclose PHI without patient authorization to the media or public at large?

No. Unless excepted as outlined above, information about an identifiable patient e.g. tests, test results, or illness details, cannot be disclosed to the media or public at large without the patient’s written authorization, or the written authorization of the person legally authorized to make healthcare decisions for the patient. 

However, if a patient hasn’t specifically objected to the release of PHI, a covered entity may release limited facility directory and basic information about a patient’s condition, such as “critical, stable, deceased, or treated and released.” 

See 45 CFR §§ 164.510(a)

Are there any other HIPAA restrictions or changes we should be aware of?

HIPAA Security Rule 

Covered entities and business associates must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information (ePHI) to protect patient information against intentional or unintentional impermissible uses and disclosures — except as permitted by the HIPAA telehealth penalty waiver for healthcare providers. 

COVID-19 HIPAA Telehealth Penalty Waiver for Healthcare Providers

Healthcare providers — specifically — won’t be subject to sanctions or penalties if they violate certain HIPAA Privacy, Security, and Breach Notification Rules when providing telehealthcare in good faith during the COVID-19 nationwide Public Health Emergency.

Minimum Necessary Requirements 

Covered entities and business associates still need to be careful to comply with HIPAA’s minimum necessary requirements. PHI disclosure should only be the minimum amount of information required to accomplish the purpose of the disclosure. But minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.

Other Applicable State and Federal Laws 

There may be other state or federal laws that apply to the disclosure waiver granted under a public health emergency. All covered entities and business associates governed by the HIPAA Privacy Rule should make sure they are up to speed on relevant local laws that may restrict disclosure of PHI during the COVID-19 pandemic.

Real-time OCR Announcements Related to COVID-19

Healthcare providers who are covered under HIPAA need to be aware of ongoing announcements related to HIPAA, Civil Rights, and COVID-19 on the HHS website as we run up against potential Civil Rights challenges while navigating our way through this pandemic. 

Contact SnapEngage to learn how we can help you stay HIPAA compliant during and after COVID-19

SnapEngage’s HealthEngage is the world’s first HIPAA compliant live chat. Our COVID-19 Coronavirus Symptom Checker Bot offers a sequence of questions and answers to help patients understand their options and staff to answer questions quickly. Download our Guide to HIPAA-Compliant Chat and ensure that your business is compliant and protected throughout coronavirus and beyond.


What are the HIPAA Telehealth Rules for COVID-19? (FAQs)

Virtual doctor visit with telemedicine

Since the Office of Civil Rights (OCR) released its Notification of Enforcement Discretion for Telehealth Remote Communications in March, healthcare organizations want to know what it means to provide HIPAA compliant telehealthcare during the Coronavirus crisis. These FAQs answer the most common questions about the HIPAA telehealth rules for healthcare organizations during COVID-19.

Which HIPAA telehealth rules are affected by COVID-19?

HIPAA Privacy, Security and Breach Notification Rules — HIPAA covered healthcare organizations won’t be subject to sanctions or penalties if they violate HIPAA Privacy, Security, and Breach Notification Rules when providing telehealthcare in good faith during the COVID-19 nationwide Public Health Emergency.

Which HIPAA covered entities qualify for the telehealth enforcement discretion during COVID-19?

Healthcare providers only — The HIPAA telehealth Enforcement Discretion applies to all healthcare providers that are covered by HIPAA and provide telehealth services during the emergency or transmit any health information in electronic form (ePHI) in connection with a transaction.

Under HIPAA, healthcare providers are those organizations that provide medical or health services, bill for healthcare services, and are paid for health care in the normal course of business. 

Examples of healthcare providers under HIPAA are:

  • Clinics
  • Hospitals
  • Pharmacists
  • Laboratories
  • Physicians
  • Nurses
  • Home Health Aids
  • Therapists
  • Mental Health Professionals
  • Dentists
  • Any other person or entity that provides healthcare

Which HIPAA covered entities do not qualify for the telehealth enforcement discretion during COVID-19?

Health insurance companies — Health insurance companies that pay for telehealth services but do not provide them are not considered covered entities for the telehealth Enforcement Discretion. Covered entities are healthcare providers only.

What patients can healthcare organizations treat under the telehealth enforcement discretion for COVID-19?

Any patient — HIPAA covered health care providers can treat any patients they normally service using telehealth or telemedicine — with no limitations. This includes both COVID-19 and non-COVID-19 related telehealthcare services. 

It also includes both patients that receive Medicare or Medicaid benefits and patients that don’t. (Any telehealth restrictions imposed by Medicare or Medicaid do not limit the HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.)

What is telehealth according to the HHS?

The HHS defines telehealth as the use of “electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” 

This includes technology such as:

  • The internet
  • Video conferencing software
  • Streaming media
  • Storage and forwarding of images
  • Landline communication
  • Wireless communications — audio, text, imaging, video.

But this doesn’t mean that healthcare providers can jump on any platform. The OCR specifically states that providers must use non-public facing applications.

What are non-public facing applications?

Non-public facing communications mean communications platforms that are designed to only allow specific parties into the telehealth conversation. Non-public facing communications should use end-to-end encryption and support individual user accounts and log in credentials.

Examples of non-public facing remote communication platforms with end-to-end encryption:

  • WhatsApp
  • Telegram
  • Facetime
  • iMessage
  • Signal
  • Facebook Messenger Secret Conversations  (iPhone, iPad, and Android only)
  • Skype Private Conversation
  • SnapeEngage LiveChat

Examples of non-public facing remote communication platforms without end-to-end encryption:

  • Google Hangouts
  • Facebook Messenger
  • Skype


What are public facing applications?

Public facing applications are not allowed under the Notification of Enforcement Discretion for Telehealth. Public facing technologies are open to the public and are not considered private. Examples of public facing communications are:

  • Facebook
  • TikTok
  • Slack

What are HIPAA compliant telehealth vendors?

HHS also notes that healthcare providers who want additional telehealth privacy should seek out technology vendors who are already HIPAA compliant technology vendors and are willing to enter into a business associate agreement (BAA) with covered entities. 

The HHS website lists some technology vendors that may have HIPAA compliant communication products. But OCR has not reviewed them. Nor does it certify or recommend them — or any other specific technology.

Even though the OCR assures covered healthcare providers that they will not be penalized for using less secure tech communication products during the Public Health Emergency, it advises telehealthcare providers that they should make an effort to use end-to-end encrypted technologies and inform patients of privacy risks when they can’t.

How long will the HIPAA telehealth rules for COVID-19 last?

The Notification of Enforcement Discretion for Telehealth will last as long as the declared Public Health Emergency during COVID-19 lasts. A Public Health Emergency lasts until the HHS Secretary determines that the Public Health Emergency is over. He can extend it for additional 90-day periods, but ultimately, the protection against HIPAA penalties for telehealth ends when the Secretary says it does.

What happens if the Public Health Emergency officially ends, but healthcare providers still need to use telehealth?

This is a situation that all HIPAA covered healthcare providers should be aware of. 

While the HHS Secretary may declare a national Public Health Emergency terminated, healthcare providers may still find that they are dependent on telehealth and telemedicine in their regional areas to service patients — coronavirus related or not. 

Healthcare providers who are dependent on non-HIPAA compliant technologies to service their patients may find themselves in a grey zone when it comes to HIPAA sanctions or penalties

The best way to prepare for this is by integrating HIPAA compliant technology today with a Business Associates Agreement in place. Otherwise you may find yourself scrambling when the telehealth Enforcement Discretion is terminated.

Contact SnapEngage to learn how we can help you stay HIPAA-compliant through COVID-19 and beyond

ShapEngage’s HealthEngage is the world’s first HIPAA compliant live chat. We’re set up to address your needs through COVID-19 and beyond. For example, our COVID-19 Coronavirus Symptom Checker Bot offers a sequence of questions and answers to help patients understand their options and staff to answer questions quickly. 

Get set up with the leading HIPAA compliant conversational platform designed for healthcare today, and you won’t have to worry about continuing to provide exceptional service while staying HIPAA compliant tomorrow.

How To Reduce Coronavirus Business Impact

Man on computer, secure chat


Coronavirus business impact has been swift, affecting all aspects of business operations. The downstream effects of this viral outbreak is sweeping across the globe. In most industries, budgets are tightening, and ways of working are changing fast. Every day thousands of businesses are banning travel and directing employees to work remotely. The right technology solutions can help businesses stay connected during uncertain times.

Outside of travel and restaurants, other verticals hit particularly hard by Coronavirus (COVID-19) include General CorporateHealthcare, and Government. These verticals are experiencing a tsunami of requests. An unprecedented number of calls and emails are inundating companies.

How business is adapting to limits on physical presence


Businesses are experiencing a significant increase in calls and emails from customers, patients, and citizens. Many businesses aren’t able to respond to incoming requests in a timely fashion. In addition, employees are being directed to work from home.

An intelligent mix of live chat and automation, like the SnapEngage COVID-19 Symptom Checker bot, is helping over-burdened staff address customer and employee concerns, thereby stemming Coronavirus business impact.

Moneypenny, a leading answering service in the UK and US serving over 50,000 businesses, has already seen the impact of Coronavirus on their clients. According to Joanna Swash, its Chief Executive Officer, clients are preparing to close offices and work remotely, and they are turning to Moneypenny for help with remote operations and agents.

“Coronavirus is forcing us to change the way we work at an unprecedented rate. With businesses making preparations to operate remotely, chat offers a flexible, real-time method for high volume communication. In fact, it’s ideal for homeworking because it’s cloud based, multiple team members can manage chats and the chat box can be hidden whenever they’re not available.” ~ Joanna Swash, CEO at Moneypenny

In recent months Moneypenny has experienced a 33% increase in chat volume and Coronavirus is now accelerating this trend. More and more businesses are also approaching Moneypenny for help with business continuity preparations – keeping customers away from telephone switchboards and instead triaging their questions quickly online. Swash believes this trend will continue, even after Coronavirus (COVID-19) stabilizes.

More government agencies are using live chat

Local and national government agencies are rapidly going through contingency planning exercises in light of the Coronavirus (COVID-19) pandemic. Their strategies are leading to changes in the way they operate. Government agencies are using live chat to handle increased inquiries from the public. Rather than coming into crowded government offices, these agencies are encouraging citizens to ask tax, utility, health, and other questions directly over chat.

“I have today asked our IT department to raise an order for additional live chat technology to allow us to expand our chat offering and flex some of our working arrangements.” ~ UK Public Sector Organization

Healthcare is leaning on tech to slow Coronavirus impact

There is no doubt that the impact of Coronavirus (COVID-19) on healthcare is unprecedented. Hospitals and healthcare clinics are already challenged. The time factor with Coronavirus, especially for vulnerable patients, goes from general concern to life-threatening very quickly. Many healthcare providers are using live chat and bots to assist with rapid response triage, while building patient trust at the same time.

Triage: understand a patient’s situation before making an appointment

Automation and live chat can help providers quickly determine which patients need help right away, and which can wait. With SnapEngage, providers can create automated Pre-Chat and Proactive Chat dialogues that anticipate clients’ needs in this trying time and stretch the customer service ability of business staff.

Deaconess, a leading health system in the Evansville, Indiana, uses the SnapEngage proactive and Chatbot API features to offer a Coronavirus Symptom Checker. The chatbot offers a sequence of questions and answers to help patients understand their options.

“The ability to quickly identify patients in need of urgent medical care is more important than ever. The SnapEngage Guide Bot and other automation features can save healthcare staff significant time by answering common questions up-front.” ~ Sofia Rossato, CEO at SnapEngage

Trust: protect patients with HIPAA compliant chat

There are many live chat solutions on the market. Most are not HIPAA compliant. In a time of crisis, healthcare providers must answer questions quickly. It is frustrating for a patient with symptoms to be told that they cannot share personal information over chat.

SnapEngage was the world’s first HIPAA compliant chat platform. Patients can share personal information and rest assured that their data will be protected. Patients and staff can feel comfortable knowing that the communication channel is safe. Healthcare providers are increasing their use of HIPAA compliant chat to improve the patient journey, patient loyalty, and time to resolution.

“In the current climate, people need reassurance and the quickest way to give them that is by being available – from anywhere, at any time. Live chat is a product of our ‘always on’ world and now it’s facilitating continuous communication to keep people safe and informed. I’d urge any business to assess their current provision and act now.” ~ Joanna Swash, CEO at Moneypenny

How to scale communication during a pandemic

Businesses that can address customers’ needs the quickest in times of uncertainty will secure brand loyalty for years to come. Overloaded customer service staff manning the phones and emails simply won’t be able to scale. Many companies will experience a reduction in staff due to school closures, lack of home support, quarantines, and, unfortunately, illness.

Try these strategies for reducing the Coronavirus business impact. That means lowering time-to-resolution and scaling your support operations quickly.

  • Automate important messages with Proactive Chat
  • Guide visitors to the right location on your website quickly using Guide Bot
  • Outsource live chat agents with trusted partners like Moneypenny

Bonus: a quick way to stretch communications systems

How can you address your potential staff shortages? Here’s a quick change you can make today: include an option to chat in all of your emails for quicker support.

Contact SnapEngage to learn how we can help your business reduce the impact of Coronavirus (COVID-19). Access the Help Center for detailed tips and tricks.


Anticipate Patient Needs with HIPAA-Compliant Live Chat to Gain Trust

Adopt Live Chat and Foster Loyalty

The patient journey doesn’t begin and end with an office visit. Ongoing care means accessible and effective communication. Adopt Live Chat to anticipate patients’ needs and personalize their experience.   

The core of patients’ needs lie in being understood. When your patients believe you’re familiar with their needs, you’ve won half the battle. Live Chat allows your agents to see what patients are typing before they submit their request.

Solidify loyalty by providing patients with options that respond to their situation. When you enable patients to connect with your agents online or by phone — without exiting the chat — you assure them that their needs will be met. 

Allowing patients an easy way to connect with the same agent gives them a sense of ease. They trust that you know who they are. Patient trust and loyalty are the driver for retention and growth.

Anticipate patients’ needs and respond in real time

  • Connect with more patients more often to build trust and loyalty.
  • Build long-term loyal relationships with your patients to drive greater use of your products and services.
  • Reward returning visitors or patients with personalized messaging. 
  • Answer their questions faster by seeing what they type before they submit their request. 
  • Give patients the option to call the same agent directly from within the chat.


Adoption toolkit 

By adopting these HIPAA-compliant chat tools, you can provide patients with an exceptional experience.

  1. Collect information beforehand with a Pre-Chat form. The form is extremely customizable. You can maximize the patient experience by collecting critical information before the chat begins. Eliminate misrouted calls and patient frustration. Give patients the option to skip the form and reduce patient wait times with Proactive Chat.
  2. Give your agents a heads up with Sneak Peak. Your team can respond more precisely if they can see what patients are typing before they hit send. Patients will see “…” while your agents are typing. If an answer takes longer than 60 seconds, you can auto-inform patients that an answer is in the works with Shortcut.
  3. Resolve complex issues quickly with the Call Me feature. Enable Call Me to allow patients to speak with your agents on the phone or online with a headset (speakers/mic) without closing the chat. Unlimited calls are allowed. Patients feel heard and agents can resolve problems quicker. 

Tools for success recap

Collect key information before starting a chat with a Pre-Chat Form
…but don’t require the form if they are about to leave  with Proactive Chat
Reduce patient wait times with Sneak Peek
Resolve complex issues quickly with the Call Me feature


Sample workflow

Adopt your Live Chat toolkit to build loyalty

SnapEngage offers a suite of HIPAA-compliant professional service packages designed to increase organizational efficiency, answer queries faster, and gain a larger presence with patients. 

Staff and physicians spend less time searching for patient data and routing calls. Patients are safe from being trapped in the accidental run around. 

The goal? Remove all patient obstacles in a less work intensive way. With chat support it’s quicker, easier, and more accessible.


What Happens in a HIPAA Violation?

The Office of Civil Rights (OCR) reviews thousands of HIPAA cases every year. In 2018, companies in violation of HIPAA were fined $28.7 million. Here are some of the reasons those companies had to pay the fines.

  • An unencrypted laptop storing ePHI was stolen from an employee’s residence
  • An employee lost some unencrypted USB drives storing ePHI
  • ePHI wasn’t encrypted on enterprise-wide systems
  • A hospital allowed filming onsite without obtaining authorization from patients
  • A doctor disclosed PHI to a news reporter
  • A company didn’t have a business associate agreement in place with a vendor 
  • A company didn’t make sure it’s vendor was in compliance — it held unsecured ePHI in a web-based system 
  • A company failed to properly respond to a patient’s request to send their ePHI to a third party

All of these violations could have been avoided by practicing periodic HIPAA risk assessments and compliance reviews to check possible points of failure in tech, employees, and business practices. 

Can anyone file a HIPAA complaint against you?

No matter how compliant you are, anyone can submit a HIPAA complaint against you, whether you have violated HIPAA or not. The OCR. makes it easy for anyone to submit a HIPAA complaint with just a few clicks. Complaints can be filed online with the OCR directly, or with your own Compliance Officer. This isn’t meant to shock you, but to give you a sobering look at what to expect when it happens so you can be prepared.


What happens when HIPAA receives a complaint?

When the OCR receives a complaint, they review it according to the HIPAA Enforcement Rule to ascertain whether it violated the Security or Privacy rule, or whether any criminal activity was involved. If the complaint wasn’t filed within 180 days of the alleged violation or OCR believes the complaint didn’t violate any rules, it’s dismissed. 

If criminal activity is detected in violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), the OCR will refer the complaint to the Department of Justice for investigation. If there is no criminal activity but a possible violation of the Security or Privacy rule, then the OCR will open an investigation.


What happens in a HIPAA violation investigation?

If the OCR decides to investigate a HIPAA complaint, it will contact the company named in the complaint and the person who filed the complaint. At this point, the OCR will gather evidence from both parties. They will ask you for a copy of your company’s policies and procedures, risk assessment history, and any other HIPAA compliance review material that may be relevant. This is where you can nip complaints in the bud if you are prepared.

The OCR will review the information and determine whether or not the Privacy or Security rule was violated. If the OCR doesn’t find any violations of the HIPAA rules, it resolves the case. If it sees evidence of noncompliance, it takes action in one or more of the following ways:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement.


What is voluntary compliance?

In many cases, the company knows what went wrong by the time the OCR has contacted it or at least learns what went wrong. It’s not uncommon for a company and its business associates to fix the problem while the investigation is ongoing. The OCR will even offer technical assistance if needed. 


What is corrective action?

Cases that require corrective action can sometimes take years to investigate, depending on their complexity. The company or business associate will have to make corrections to their HIPAA Privacy and Security policies, procedures, safeguards, and training. Corrective action often comes with a Resolution Agreement. 


How does a Resolution Agreement work?

A Resolution Agreement is a signed agreement between a non-compliant company or business associate and the HHS. The agreement can impose a fine and require monitoring from one to three years — the company has to make periodic reports to the HHS.


An example of a basic HIPAA Violation that cost an SME $85,000

Company:  Korunda Medical is a healthcare company that offers primary care and pain management to approximately 2,000 patients annually. It has a central office, five satellite offices, two primary care physicians, and five interventional pain physicians.


What happened?  A patient asked Korunda several times to forward his or her records to a third party in a particular electronic format. 


What did Korunda do wrong?  Korunda dragged its feet on the request, charged more than the reasonably cost-based fees allowed under HIPAA, and didn’t provide the records in the requested electronic format.

What rule did Korunda violate? Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524

What action was taken?
Initially, the OCR provided technical assistance to Korunda to teach them how they were supposed to respond to the request — and closed the case. 


Why did Korunda get fined? The OCR received a second complaint about the same thing four days after it had provided the technical assistance to Korunda.


How was the case resolved? Korunda entered into a Resolution Agreement requiring an $85,000 fee and one year of a monitored Corrective Action Plan during which Karunda was ordered to:


  1. Revise policies and procedures within 30 days and prove it. 
  2. Create and present training materials within 60 days. 
  3. Submit a list of all the patient requests for PHI, the dates, particulars, and the cost every 90 days.
  4. Report any employee who failed to comply within 30 days.
  5. Submit an Implementation Report summarizing progress within 120 days.
  6. File an Annual Report within 60 days of the close of the one-year monitoring period.

How much are the fines for HIPAA compliance violations?

Most Privacy and Security Rule investigations are resolved informally with technical assistance or Resolution Agreements. If the OCR decides to impose a civil money penalty (CMP), companies can either pay the penalty or request a hearing with an HHS judge if they disagree. If the judge rules that the fine is justified, companies can then appeal to the HHS appeals board within 30 days.


HIPAA has four levels of fines depending on the severity of the violation. Penalties can be imposed each year, every year, for each violation category. Violations that involve willful neglect (Levels 3 and 4 can lead to criminal charges.) 


  1. Had no idea they violated HIPAA violation. 

$100-$50K per violation. $25K max per year. 

2. There is reasonable cause to believe they knew they violated HIPAA. 

$1K – $50K per violation. $100K max per year. 

3. Showed willful neglect of HIPAA rules but corrected the violation within 30 days.

$10K-$50K per violation. $250K max per year. 

4. Showed willful neglect of HIPAA rules and failed to correct the violation within 30 days.

$50k per violation. $1.5M max per year. 


What’s the best way to avoid a HIPAA fine?

Your best defense against HIPAA enforcement and fines is to assume that you’ll have a HIPAA complaint filed against you at some point. Why? Because a HIPAA complaint opens the door to an audit where additional violations could be discovered. 

Even if the original complaint ends up being false, the ensuing investigation and audit could uncover other HIPAA violations resulting in fines. Organizations that are merely box-checking for compliance could get in deep trouble here. 

By assuming that you could be audited at any time, you’re more likely to stay on top of your HIPAA compliance reviews with periodic risk assessments. It’s better if you find all of your possible points of failure and correct them yourself before an OCR auditor does.


How SOC 2 Reports Ensure Cloud-based Data Security

Business today means cloud-based data processing. Companies that outsource to SaaS cloud-based service providers need to make sure that their integrity is maintained throughout their entire data supply chain. In this era of increased data privacy legislation, if your service provider isn’t compliant, you can be held liable and risk damage to your brand. 

SOC 2 audit reports were designed for business associates such as IT-enabled SaaS and cloud computing service providers that store data in the cloud. They are internally facing audits conducted by an external SOC 2 Auditor. 

SOC 2 is not a regulation like HIPAA, GDPR, or CCPA, and isn’t required for SaaS or cloud vendors. However, for companies that handle electronic personal health information (ePHI) —or any other personal data — SOC 2 is a data best practice. It ensures that a business associate’s data privacy and security policies are in alignment with a company’s data privacy regulations and can be adapted for service providers that need to comply with multiple regulations. 

What is SOC?

Companies that outsource to vendors must make sure that they choose vendors who have effective internal controls. These standards are known as SOC or Service Organization Control. 

SOC for service providers are audit reports performed by an independent auditor that prove vendors meet the requirements of the companies that do business with them. There are three types of SOC reports SOC 1, SOC 2, and SOC 3. They are not upgrades of each other but different kinds of reports. 

SOC 1 focuses on a service provider’s financial reporting, whereas SOC 2 and SOC 3 both scrutinize a vendor’s security and data protection. The difference between SOC 2 and SOC 3 is restricted use. A SOC 3 report can be openly distributed, but a SOC 2 report is internal and limited to the vendor and the company requesting it from the vendor.

Today, any company that stores customer data in the cloud should strive to meet SOC 2 requirements to minimize the risk of unauthorized exposure and liability. 

What is SOC 2 Compliance?

The American Institute of CPAs (AICPA) designed SOC 2 for outsourced IT-enabled SaaS and cloud computing service providers that handle a company’s data. At its core, SOC 2 is primarily an auditing procedure that ensures SaaS and cloud-computing providers securely manage data to protect both the privacy of a business’s clients and its interests. 

But SOC 2 is more than just a technical audit. It also establishes strict criteria that vendors must comply with to properly and securely manage customer data following five Trust Service Principles — security, availability, processing, integrity, confidentiality, and privacy. 

What are the five Trust Service Principles of SOC 2?

SOC 2 audit reports ensure that companies maintain internal corporate governance, risk management, and regulatory oversight by requiring their service providers to manage data according to these five Trust Service Principles.

1. The Security Principal

Security means the protection of data during its collection, use, processing, transmission, and storage. It also means the protection of the systems that process, transmit, and store the information which allow the primary organization to meet its goals. 

Security can include access controls, network and web application firewalls, two-factor authentication, and intrusion detection to protect data and the data systems against abuse, theft, misuse, breaches, and any other unauthorized access of data and systems.

2. The Availability Principal

Availability refers to the accessibility of the systems, data, services, and products as outlined in the service level agreement (SLA) with a company to manage its daily business processes. 

The availability principle isn’t focused on functionality and usability, but rather on the systems themselves, such as controls to support accessibility for operations and monitoring network performance. For example, a backup site failover plan, should any incident occur that impedes the availability of systems, would be governed by the availability principal.

3. The Processing Integrity Principle

The processing integrity principle has to do with whether a system is doing its job by processing data that is complete, valid, accurate, timely, and authorized. Processing integrity is more concerned with the processing behavior itself rather than the integrity of the data. However, systems should function free of error, delay, omission, and any unauthorized or accidental manipulation of data.

4. The Confidentiality Principle

The confidentiality principle governs a company’s ability to protect its confidential information throughout the data lifecycle until the data’s removal. Confidentiality is not the same as privacy in that privacy deals with personal information. In contrast, confidentiality — while it can include personal information — is intended for information that a company needs to control, such as intellectual property. 

Confidential requirements included in contracts or legal clauses would also fit under the umbrella of the confidentiality principle. Other information might be trade secrets, proprietary information, business plans, or sensitive financial information. Protections under this principle may involve encryption, firewalls, access controls, and any other safeguards for information processed or stored on systems.

5. The Privacy Principle

The privacy principle focuses entirely on personal information that is collected, used, stored, disclosed, and disposed of in line with a company’s objectives and privacy policies. 

Personal information is any information that can identify an individual. Personal information can include a name, home or email address, ID numbers, physical characteristics, purchase history, medical or health history, financial information, IP addresses, or biometric identifiers, and other identity indicators. Electronic personal health information (ePHI), as outlined by HIPAA, would fall under the privacy principle.

The SOC 2 privacy principle follows the criteria established by the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles that manage and prevent privacy risks. 

What are Soc 2 Reports?

SOC 2 has two different report types that are the output of SOC 2 audits by external auditors. A SOC 2 Type I report assesses and reports on the design and functionality of a service provider’s system controls at a given point in time. A SOC 2 Type II report tests and reports on a service provider’s controls over a period of time (a minimum of six months), which attests to the operating effectiveness of its system controls.

Companies can request SOC 2 reports from SaaS or IT-enabled cloud service providers to assess and monitor any risks associated with a third party’s technology services. Vendors can also request the audits and reports on themselves. SOC 2 reports give companies vital information about how vendors manage data and maintain controls around their systems and processes involving sensitive data.

To put it simply, when a business associate is SOC 2 compliant, companies feel more confident trusting it to handle their data. For companies that handle electronic personal health information (ePHI) and are subject to the HIPAA, or that need added privacy and security controls to meet other data privacy regulations, SOC 2 reports add another layer of assurance against violations or data breaches. 


What Happens in a HIPAA Breach?

What happens in a HIPAA breach?

Even if you’re HIPAA compliant, you’re not immune to data breaches. In today’s increasingly digital environment, data breaches are a common and unfortunate occurrence. The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), understands this. If you have a breach, it doesn’t necessarily mean it was a result of a HIPAA violation.

However, under HIPAA, there are specific steps you need to take to mitigate any risk to the HIPAA protected health information that you hold and process in anticipation of a breach. And if you do experience a breach, there are specific protocols you should follow depending upon the severity of the breach. The best defense for a data breach is preparation.

What is a data breach according to HIPAA?

According to HIPAA, a breach occurs when protected electronic Personal Health Information (ePHI) is used or disclosed in any way that compromises its security or privacy in violation of the Privacy Rule. For a leak of information to be considered a breach under HIPAA, the information exposed must be unsecured. Unsecured ePHI is ePHI that hasn’t been “rendered unusable, unreadable, or indecipherable to unauthorized persons” by encryption or destruction of the data.

How can you avoid HIPAA violations in the event of a breach?

You can avoid HIPAA violations if you’ve made a thorough and continuous effort to stay in compliance before any breach occurs. This means you do periodic risk assessments and have made sure that all ePHI – whether at rest or in transit – is encrypted to NIST standards so that the data is unreadable, undecipherable, and unusable by unauthorized parties if there is a breach.

Many data breaches go unnoticed because companies fail to conduct regular risk assessments and don’t catch them, which increases their chances of being charged with a violation of negligence.

Companies must train all staff and have written protocols in place for personnel to follow in the event of an emergency, security, or data breach.

If there is a breach, but the ePHI is secured because it is encrypted to the extent that it is unreadable, undecipherable, and unusable by any unauthorized parties, you may not be subject to the Breach Notification Rules. However, you should still do a risk assessment. It will be up to you to recognize the severity of a breach to be able to take the correct action under HIPAA and to prove to the HHS that you did.

The burden of proof is on you

If you have a breach, you’ll have to be able to prove to the HHS either that the ePHI was unusable and did not constitute a breach, or that you’ve responded appropriately by sending out all of the breach notifications required under HIPAA.

The HHS strongly urges covered entities (you) to perform a risk assessment if you suspect a breach. The goal of the risk assessment is to discover the following:

  • If unsecured ePHI was improperly viewed or obtained.
  • The type and amount of the ePHI as well as the likelihood of personal identifiers, what kind they are (name, medical numbers, etc.)
  • The possibility of any data that has been de-identified by encryption (no longer able to identify an individual) of becoming re-identified by an unauthorized party.
  • The identity of the illegal party who is responsible for the breach or who received the data (if possible).
  • The extent to which you were able to mitigate any damage caused by the breach.

If the HHS does an audit and finds that there may have been some impermissible use or disclosure of ePHI that you didn’t report, they’re going to ask you why.

Your risk assessment is your only defense against appearing culpable. It’s also how you might find out whether your situation falls under one of the three exceptions to a breach of ePHI. These are situations where you might not be found liable for a violation:

  1. Unintentional access, acquisition, or use of ePHI by an authorized employee while doing his or her job.
  2. Accidental disclosure of ePHI by one authorized person to another authorized person.
  3. Disclosure of ePHI by an authorized person who believed that the unauthorized person who received the ePHI wouldn’t be able to view, use, or retain it.

How do you perform a HIPAA Risk Assessment?

A risk assessment can help you identify risks and vulnerabilities so that you can develop and implement administrative safeguards and protections that keep ePHI secure under the HIPAA Security Rule. The US Department of Health & Human Services (HHS), offers guidance on risk assessments on its website as well as a Security Risk Assessment (SRA) Tool that helps walk you through the risk assessment process. HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, redesign programs, or experience a security incident like a data breach.

What is the HIPAA Breach Notification Rule?

If you have a breach, but your risk assessment has determined that ePHI is secured (encrypted), you might not be subject to the Breach Notification Rule. But if there is any chance that unsecured ePHI was improperly used or disclosed, you have to follow specific notification rules to stay in compliance.

Victim notification letter:

You must notify each person whose ePHI is suspected of having been accessed, acquired, used, or disclosed within 60 days from the day of discovery of a data breach (unless law enforcement needs a delay of notification to investigate criminal activity.) The breach notification letter for affected individuals can be created on the HHS website once you have the details of the breach. The letter must include the following information:

What happened and the date it happened — Breaches are considered “discovered” the same day that the breach is known or should’ve been known if you were exercising diligence under HIPAA.

  • A description of the PHI involved in the breach
  • Steps affected individuals can take to protect themselves further
  • A description of what the covered entity is doing to mitigate the breach
  • Contact information for affected individuals to find out more information

Notification to HHS Secretary:

You must notify the Health and Human Services Secretary of any breach. Companies can report a breach on the OCR Website.

  • If a breach affects more than 500 victims, you must report the breach to HHS and the media. OCR will display details about the breach on its website (known in the industry as “the wall of shame.” You don’t want your name on this wall.)
  • If the breach involves less than 500 people, you must report it to HHS within 60 days of the end of the year in which the breach occurred.

Business Associates notification:

Business Associates must notify the covered entity if ePHI is suspected of having been accessed, acquired, used, or disclosed in a data breach.

For more details and guidance on the HIPAA Breach Notification Rule check out what the HHS has to say.

How significant are the fines for noncompliance resulting in a breach?

If the Office for Civil Rights (OCR) concludes that a HIPAA breach occurred because of noncompliance, the severity of the penalty will depend upon the extent to which it finds a company negligent.

HIPAA has four categories for violations. Fines can be imposed each year, every year for each violation category. The four different tiers of penalties depend upon the severity of the violation. Cases involving willful neglect (Tier 3 and Tier 4 can lead to criminal charges.) Breach victims can also file civil lawsuits against covered entities.

Tier 1: $100-$50K per violation. $25K max per year. Unaware of the HIPAA violation and even by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Tier 2: $1K – $50K per violation. $100K max per year. Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.

Tier 3: $10K-$50K per violation. $250K max per year. Willful neglect of HIPAA rules with the violation corrected within 30 days of discovery.

Tier 4: $50k per violation. $1.5M max per year. Willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.

Keep your name off of the wall of shame

As everything we do becomes more digital, you’re better off expecting a data breach than thinking it won’t happen to you. Breaches will be a part of life and business and the best thing you can do to protect your brand and your clients is get in front of them. If your HIPAA compliance needs a bit of dusting off, check out our HIPAA Compliance Checklist for 2020 and make sure you’re ahead of the game.