Overview
HIPAA compliance enables healthcare organizations to use Salesmsg legally and securely for patient communications. When HIPAA is enabled, Salesmsg automatically activates enhanced security controls to protect Protected Health Information (PHI), including mandatory two-factor authentication (2FA), end-to-end encryption using AWS Key Management Service (KMS), comprehensive audit logging, and strict access controls.
Salesmsg acts as a Business Associate under HIPAA and provides the technical safeguards required to protect electronic Protected Health Information (ePHI).
Key Benefits
Benefit | Description |
Secure handling of PHI | Ensures patient health information is protected in accordance with federal HIPAA regulations |
Reduced compliance risk | Helps healthcare organizations reduce the risk of HIPAA violations and regulatory penalties |
Built-in safeguards | Security controls are enforced automatically with no manual setup required |
Audit readiness | Comprehensive logging and documentation support HIPAA audits and investigations |
Common Use Cases
Use Case | Description |
Patient communication | Appointment reminders, test results, follow-ups, and care instructions via SMS |
Healthcare engagement | HIPAA-compliant messaging platform for ongoing patient engagement |
Multi-device workflows | Secure communication across web, mobile apps, and browser extensions |
What Is Considered ePHI in Salesmsg
Salesmsg treats the following data types as electronic Protected Health Information (ePHI) when HIPAA is enabled:
Message content and templates
Conversation notes
Contact notes
Call recordings
AI-generated call transcripts
AI-generated call summaries
File attachments
Important: Contact information alone (names, phone numbers) is not treated as ePHI, but all communication content and associated notes are encrypted and protected.
HIPAA Security Controls in Salesmsg
# | Feature | Description | Key Benefit |
1 | HIPAA Compliance Framework | Salesmsg implements HIPAA-required technical safeguards as a Business Associate to protect ePHI across the platform | Enables legal use of SMS for healthcare communications |
2 | Per-Organization AWS KMS Encryption | Each HIPAA organization receives a dedicated encryption key stored in AWS KMS (FIPS 140-2 Level 2). Data is encrypted using AES-256-GCM | Patient data is isolated and protected with industry-grade encryption |
3 | Automatic ePHI Encryption | All ePHI is encrypted automatically at rest and decrypted only for authorized users | No manual encryption processes required |
4 | Mandatory Two-Factor Authentication (2FA) | 2FA is required for all users and cannot be disabled. Existing sessions are terminated when HIPAA is enabled | Prevents unauthorized access even if credentials are compromised |
5 | Comprehensive Audit Logging | All ePHI access, encryption, and decryption events are logged with timestamp, user ID, IP address, and action | Full accountability and audit readiness |
6 | Session Management & Idle Logout | Automatic logout after inactivity across web, iOS, Android, and Chrome extension | Prevents ePHI exposure on unattended devices |
7 | Integration Restrictions | Only integrations with signed BAAs are allowed (HubSpot, Salesforce). All others are blocked | Prevents ePHI exposure to non-compliant vendors |
8 | Public API Access Blocked | Personal Access Tokens and public API access are disabled | Ensures all ePHI access is audited and authenticated |
9 | PHI-Sanitized Push Notifications | Push notifications exclude message content and show generic alerts | Prevents PHI exposure on lock screens |
10 | Secure Data Retention & Purging | Secure export and purge workflows with audit log retention | Supports compliant data lifecycle management |
11 | Multi-Platform Coverage | HIPAA controls apply across web, iOS, Android, and Chrome extension | Consistent protection on all devices |
12 | Business Associate Agreement (BAA) | Salesmsg provides a signed BAA to HIPAA customers at no additional cost | Required documentation for HIPAA compliance |
Enabling HIPAA Compliance
Contact Salesmsg to request HIPAA enablement
Review and sign Business Associate Agreement (BAA)
Salesmsg support enables HIPAA for the your organization
Security controls are automatically activated:
Dedicated AWS KMS encryption key created
Mandatory 2FA enforced
All active sessions terminated
Audit logging enabled
Public API access disabled
Non-BAA integrations blocked
Frequently Asked Questions
Do you have HIPAA certification?
HIPAA compliance is achieved through implementation of required safeguards and execution of a Business Associate Agreement (BAA). Salesmsg provides all required technical controls and executes a BAA with healthcare customers. You can visit our trust center for details.
What integrations are allowed?
Only integrations with signed BAAs are allowed. Currently supported: HubSpot and Salesforce.
Is HIPAA available on mobile apps?
Yes. HIPAA compliance applies to web, iOS, Android, and Chrome extension.
Can users disable 2FA?
No. When HIPAA is enabled, 2FA is mandatory and cannot be disabled.
Is there an additional cost?
HIPAA compliance is available for everyone. Contact Sales for pricing details.
Need Help? βπ»
Reach out through live chat or email [email protected].