HIPAA compliance and privacy regulations

Updated

HIPAA compliance requirements

The Health Insurance Portability and Accountability Act (HIPAA) is a United States law that ensures organizations handling individuals’ digital health information keep it secure and confidential. The information protected under HIPAA is referred to as Protected Health Information (PHI). PHI includes not only medical details, like test outcomes and treatment records, but also personal identifiers connected to those records like a patient’s name, contact details, account numbers, demographic data, and related identifiers.

HIPAA applies specifically to Covered Entities, which are:

  • Health insurers and plans (including Medicare, Medicaid, HMOs, and employer health plans)
  • Healthcare providers (like doctors, pharmacies, and clinics)
  • Health information clearinghouses and related organizations

Because these entities often rely on outside partners, HIPAA also outlines how they can share PHI with Business Associates—organizations that perform services involving access to PHI. Business Associates must follow strict safeguards and use the information solely for the intended healthcare purposes to remain HIPAA-compliant. Customer.io is a Business Associate for our customers who need to navigate HIPAA compliance in messaging with their users.

Best Practices to support HIPAA Compliance

If your work involves protected health information (PHI), you must implement and maintain appropriate administrative, technical, and physical safeguards required under HIPAA. These controls help ensure the privacy and security of your users their data.

HIPAA obligations also extend to any subcontractors or third-party partners who might access PHI on your behalf. You are responsible for ensuring your partners follow compliant practices and maintain the same level of protection. Compliance isn’t a one-time task! You and your teams should regularly review their processes, confirm that safeguards remain effective, and update processes as needed to meet evolving requirements.

Here are some best practices to help with HIPAA compliance as you use Customer.io:

  • Execute a Business Associate Agreement (BAA): You can request to execute a BAA with Customer.io outlining your adherence to HIPAA’s privacy and security standards. If you manage your own Twilio account to send SMS messages you’ll also want to sign a BAA with Twilio directly.
  • Limit access to health information: Only give access to team members who absolutely need access to personal information for their jobs, and regularly review who has access to that information. Don’t give access to PHI to team members who don’t need it for their jobs.
  • Don’t send protected health information (PHI) in messages. SMS, push, and email are not fully secure communication channels and can expose sensitive information if your users lose their devices, share them with others, or are otherwise compromised. Instead, you should send your audience messages with links to a secure portal where they must log in to access their health information safely. Using secure links ensures PHI remains protected behind proper authentication, and prevents the disclosure of sensitive data over unencrypted channels.
  • Use strong passwords and two-factor authentication: Protect Customer.io access—and any system with access to health data—with complex passwords and multi-factor authentication.
  • Train your team regularly: Ensure everyone handling health information knows the rules, recognizes phishing emails, and understands how to report security incidents.

HIPAA compliance requires ongoing review, evaluation and strong partnerships. The law has changed as recently as 2025.

Additional Tips for sending HIPAA compliant messages

While our documentation isn’t legal advice, we’ve included some tips that can help you send HIPAA compliant messages—and general practices that are probably good to follow even if you’re not working with protected health information (PHI).

Create a patient communication preference form

Your audience should have an easy way to set their communication preferences. While you can do this with keywords over SMS, it’s tough to explain everything involved in communicating health information in an SMS message.

Instead, you should create a patient communication preference form where your audience can determine what information they’re comfortable getting over SMS and other channels. You can link users to this form from SMS messages, so they can opt-in or out at their leisure, independently of any messages you might send.

With a form, you can also link users to complicated policy information so users can learn more about, and opt into or out of, health information they might receive over SMS. You can store these preferences in attributesA key-value pair that you associate with a person or an object—like a person’s name, the date they were created in your workspace, or a company’s billing date etc. Use attributes to target people and personalize messages., which you can use to segment your audience and make sure you abide by their preferences.

You can manage form submissions with our form integrations, or with a custom event from our JavaScript integration.

Follow users channel and time-based preferences

SMS and push notifications are particularly visible to your audience, and they could show up at an inopportune time! Nobody wants a notification to pop up during a meeting with information about test results.

Even email can be a vulnerable channel, especially if your users haven’t used an email address in a while—like an email address from a past job or an old university email address. Make sure that your users contact information is up to date try to send people messages through the channels they prefer at the right times.

While our Subscription Center functionality doesn’t manage channel-based preferences, you can use attributesA key-value pair that you associate with a person or an object—like a person’s name, the date they were created in your workspace, or a company’s billing date etc. Use attributes to target people and personalize messages. to manage preferences and then use conditions in campaigns and broadcasts to send users messages through the channels they prefer. You can use our automatic geolocation feature to better understand your users’ local times and schedule messages accordingly.

While patients can opt into SMS messaging and agree to receive protected health information (PHI), they can revoke consent for either, or both, at any time.

You can use traditional keywords like START and STOP to opt users into and out of SMS messaging all together, but you may need to store consent to transmit PHI—or get health-related messages—over SMS in another attributeA key-value pair that you associate with a person or an object—like a person’s name, the date they were created in your workspace, or a company’s billing date etc. Use attributes to target people and personalize messages..

In general, it’s easier to manage additional consent with a patient communication preference form, but you can also use keywords over SMS. For example, you could send a message asking if a user wants to opt into health information over SMS, and they could reply with Yes or No.

You should keep a history of your audience’s consent and their acknowledgement of risks associated with SMS communications.

While you can use attributes in Customer.io to represent consent (or non-consent), you’ll need to export message data from Customer.io to store the history of consent and risk-acknowledgement beyond the current state in Customer.io.

The best way to do this is with our Data Warehouse integrations, which help you capture attribute changes and message history that you can store in a data warehouse or database of your choice.

Do not include PHI in support tickets

If you need support with an issue relating to HIPAA compliant messages, you should avoid exposing protected health information (PHI) to support teams or non-health professionals outside of your organization (including Customer.io and Twilio).

When you submit support tickets or request technical assistance, don’t include protected health information (PHI) in your communications; that includes support communications with Customer.io, Twilio, and other vendors. While we’re happy to help, we’re not covered by your HIPAA agreements and should not have access to real patient data—even incidentally!

Do not include in support tickets:

  • Patient names, dates of birth, or contact information
  • Medical record numbers or account IDs
  • Specific medical conditions, treatments, or diagnoses
  • Insurance information or billing details
  • Screenshots containing actual patient data
  • Database queries with real PHI
  • Log files that might contain patient information

Do this instead:

  • Use fake names like “Patient X” when describing scenarios
  • Replace real dates with examples like “01/01/2025”
  • Use placeholder medical record numbers like “MRN12345”
  • Create mock data that illustrates your technical issue without exposing real information
  • Redact or blur any PHI from screenshots before you share them with support
  • Ask your support contact to sign a BAA before you share real data (most won’t, which means you shouldn’t share it)

Remember: Technical support can be just as effective using anonymized examples, and this approach protects both your patients and your HIPAA compliance!

If you need help with HIPAA compliance

Reach out to your Customer.io representative if you have questions about HIPAA compliance for Customer.io or want to explore a Business Associate Agreement (BAA) with us.

Copied to clipboard!
  Contents