Overview
HIPAA compliance enables healthcare organizations to use Salesmsg legally and securely for patient communications. When HIPAA is enabled, Salesmsg automatically activates enhanced security controls to protect Protected Health Information (PHI), including mandatory two-factor authentication (2FA), end-to-end encryption using AWS Key Management Service (KMS), comprehensive audit logging, and strict access controls.
Salesmsg acts as a Business Associate under HIPAA and provides the technical safeguards required to protect electronic Protected Health Information (ePHI).
Key Benefits
Benefit | Description |
Secure handling of PHI | Ensures patient health information is protected in accordance with federal HIPAA regulations |
Reduced compliance risk | Helps healthcare organizations reduce the risk of HIPAA violations and regulatory penalties |
Built-in safeguards | Security controls are enforced automatically with no manual setup required |
Audit readiness | Comprehensive logging and documentation support HIPAA audits and investigations |
Common Use Cases
Use Case | Description |
Patient communication | Appointment reminders, test results, follow-ups, and care instructions via SMS |
Healthcare engagement | HIPAA-compliant messaging platform for ongoing patient engagement |
Multi-device workflows | Secure communication across web, mobile apps, and browser extensions |
What Is Considered ePHI in Salesmsg
Salesmsg treats the following data types as electronic Protected Health Information (ePHI) when HIPAA is enabled:
Message content and templates
Conversation notes
Contact notes
Call recordings
AI-generated call transcripts
AI-generated call summaries
File attachments
Important: Contact information alone (names, phone numbers) is not treated as ePHI, but all communication content and associated notes are encrypted and protected.
HIPAA Security Controls in Salesmsg
# | Feature | Description | Key Benefit |
1 | HIPAA Compliance Framework | Salesmsg implements HIPAA-required technical safeguards as a Business Associate to protect ePHI across the platform | Enables legal use of SMS for healthcare communications |
2 | Per-Organization AWS KMS Encryption | Each HIPAA organization receives a dedicated encryption key stored in AWS KMS (FIPS 140-2 Level 2). Data is encrypted using AES-256-GCM | Patient data is isolated and protected with industry-grade encryption |
3 | Automatic ePHI Encryption | All ePHI is encrypted automatically at rest and decrypted only for authorized users | No manual encryption processes required |
4 | Mandatory Two-Factor Authentication (2FA) | 2FA is required for all users and cannot be disabled. Existing sessions are terminated when HIPAA is enabled | Prevents unauthorized access even if credentials are compromised |
5 | Comprehensive Audit Logging | All ePHI access, encryption, and decryption events are logged with timestamp, user ID, IP address, and action | Full accountability and audit readiness |
6 | Session Management & Idle Logout | Automatic logout after inactivity across web, iOS, Android, and Chrome extension | Prevents ePHI exposure on unattended devices |
7 | Integration Restrictions | Only integrations with signed BAAs are allowed (HubSpot, Salesforce). All others are blocked | Prevents ePHI exposure to non-compliant vendors |
8 | Public API Access Blocked | Personal Access Tokens and public API access are disabled | Ensures all ePHI access is audited and authenticated |
9 | PHI-Sanitized Push Notifications | Push notifications exclude message content and show generic alerts | Prevents PHI exposure on lock screens |
10 | Secure Data Retention & Purging | Secure export and purge workflows with audit log retention | Supports compliant data lifecycle management |
11 | Multi-Platform Coverage | HIPAA controls apply across web, iOS, Android, and Chrome extension | Consistent protection on all devices |
12 | Business Associate Agreement (BAA) | Salesmsg provides a signed BAA to HIPAA customers at no additional cost | Required documentation for HIPAA compliance |
HIPAA API Acess
When you connect a third-party integration using Salesmsg's Public API, you choose exactly what that integration is allowed to do. This is called scope-based access control, and it ensures integrations can only access the data they actually need.
Connecting the API
Go to Settings and open the Integrations or API section.
Select the integration you want to configure.
Choose the scopes that match what the integration needs to do.
If your organization has HIPAA enabled, any high-risk scopes will require admin approval before the integration can use them.
Save your settings. The integration is now limited to only those permissions.
Scope risk levels
Not all scopes carry the same level of sensitivity. Here is how they break down:
Low risk β authentication, numbers, teams, users, webhooks, keywords, saved replies
Medium risk β contacts, broadcasts, campaigns, analytics, custom fields, tags
High risk (PHI-sensitive) β conversations, messages, calls, recordings, contact notes
High-risk scopes require a signed Business Associate Agreement (BAA) and explicit admin approval. Every approved request that touches a high-risk endpoint is logged automatically, including the integration name, the endpoint accessed, and a timestamp.
Role-Based Access Control (RBAC) Enhancements
Salesmsg supports healthcare organizations by helping meet HIPAA access control and audit requirements when handling communications that may contain Protected Health Information (PHI).
HIPAA requires organizations to implement safeguards that protect access to sensitive data. By tracking permission changes, Salesmsg helps healthcare teams meet regulatory expectations for:
Unique user identification
Controlled access to systems and data
Verifiable administrative actions
Whatβs Logged
Whenever a userβs role or permissions are updated, Salesmsg securely records:
The user whose permissions were changed
Who made the change
The date and time of the update
The previous role or permissions
The new role or permissions
This audit history helps organizations:
Detect unauthorized or accidental privilege changes
Demonstrate access control governance during compliance reviews
Maintain accountability across administrative actions
Enabling HIPAA Compliance
Contact Salesmsg to request HIPAA enablement
Review and sign Business Associate Agreement (BAA)
Salesmsg support enables HIPAA for the your organization
Security controls are automatically activated:
Dedicated AWS KMS encryption key created
Mandatory 2FA enforced
All active sessions terminated
Audit logging enabled
Public API access disabled
Non-BAA integrations blocked
Frequently Asked Questions
Do you have HIPAA certification?
HIPAA compliance is achieved through implementation of required safeguards and execution of a Business Associate Agreement (BAA). Salesmsg provides all required technical controls and executes a BAA with healthcare customers. You can visit our trust center for details.
What integrations are allowed?
Only integrations with signed BAAs are allowed. Currently supported: HubSpot and Salesforce.
Is HIPAA available on mobile apps?
Yes. HIPAA compliance applies to web, iOS, Android, and Chrome extension.
Can users disable 2FA?
No. When HIPAA is enabled, 2FA is mandatory and cannot be disabled.
Is there an additional cost?
HIPAA compliance is available for everyone. Contact Sales for pricing details.
Need Help? βπ»
For general (non-HIPAA) accounts:
Reach out through live chat or email [email protected]
For HIPAA-enabled accounts:
Please contact our dedicated HIPAA support team at [email protected]
Note: When reaching out, you can upload any screenshots or shared materials with blurred data.