Is Intercom HIPAA Compliant?

Intercom is a customer messaging and support platform used for live chat, automated messaging, and support. Healthcare organizations use it for patient inquiries, appointment questions, and general support. The chat format gets patients typing personal and clinical information immediately. PHI in Intercom is routine, not an edge case.

Note: Intercom’s plan structure, pricing, and BAA terms are updated periodically. Verify current BAA eligibility and coverage at intercom.com/legal before deploying Intercom in any healthcare context.

Intercom’s HIPAA BAA

Intercom offers a HIPAA Business Associate Agreement for qualifying customers. BAA availability depends on the subscription plan. Customers on plans without BAA access are not covered for PHI processing regardless of how the tool is configured.

Before using Intercom for patient-facing communication:

1. Confirm your account is on a BAA-eligible plan
2. Execute the BAA with Intercom. The standard subscription agreement does not substitute for a signed HIPAA BAA.
3. Confirm which Intercom products and features are covered (Intercom has multiple product lines including Messenger, Inbox, Articles, and the Fin AI agent)
4. Verify data hosting region if your compliance posture requires US-only data storage

When Intercom Conversations Contain PHI

Patient conversations submitted through an Intercom-powered chat window routinely contain PHI without the patient or the clinic treating it as a formal health information exchange:

Message type	Typical PHI content
Appointment question	Name, appointment date, provider name
Billing inquiry	Name, service date, amount, insurance information
Clinical question	Name, symptom description, medication question, diagnosis context
Records request	Name, DOB, request for specific records
Prescription refill	Name, medication, prescribing provider

Any Intercom inbox that receives patient messages is in a HIPAA-covered workflow. A clinic routing patient chat through Intercom without a signed BAA makes an unauthorized PHI disclosure from the first message received.

PHI Exposure Risks Beyond the Conversation Transcript

The conversation transcript itself is the most obvious PHI risk, but Intercom surfaces PHI in additional ways:

User profiles: Intercom builds contact profiles from conversation data and API-pushed data. Patient profiles — name, email, phone, conversation history — accumulate into a PHI record set within Intercom.

Notes: Agents can add internal notes to conversations. If a note references clinical context (“patient mentioned they’re on [medication]”), it contains PHI.

Inbox shared visibility: By default, any agent with inbox access can see all conversations in that inbox. Without explicit access restrictions, all agents see all patient conversations.

Reporting: Intercom’s reporting draws on conversation content. Dashboards that expose conversation details surface PHI.

Fin AI and Other AI Features: Assess Before Enabling

Intercom has built AI deeply into the platform: Fin AI (a chatbot that handles inquiries automatically), AI-powered suggestions, conversation summarization, and routing.

These features process conversation content. If conversations contain PHI:

• Fin AI reads patient messages and generates responses. If it processes PHI, the Intercom BAA must explicitly cover Fin AI.
• AI summaries condense conversation content into summaries for agents. PHI in conversation transcripts flows into those summaries.
• AI-suggested responses generate reply options based on conversation context, drawing on PHI from patient messages.

For each AI feature, confirm:

1. Whether it is explicitly covered under the Intercom HIPAA BAA
2. Whether Intercom uses conversation content for AI model training (and whether opt-out is available)
3. Where AI-processed content is stored and for how long

BAA coverage does not automatically extend to AI features. Verify coverage at implementation time, and again when Intercom releases new AI capabilities.

Configuration Requirements for HIPAA-Compliant Use

Inbox Access Controls

Restrict Intercom inbox access to staff with a legitimate operational need to view patient conversations. Intercom’s team and permission settings allow inbox access to be limited. Configure these before patient conversations begin flowing:

• Create separate inboxes for patient-facing and non-patient-facing channels
• Assign only authorized clinical and administrative staff to patient-facing inboxes
• Use Intercom’s role and permission settings to limit which agents can view, reassign, or export conversation data

Data Retention Settings

HIPAA’s record retention requirements (45 CFR § 164.530(j)) require covered entities to retain required documentation for six years. Patient conversations in Intercom that contain PHI fall under that requirement. Review Intercom’s data retention settings to ensure PHI-containing conversations are retained for the required period and disposed of securely after retention obligations are met.

Third-Party Integrations

Intercom integrates with CRM systems, help desk tools, analytics platforms, and more. Any integration that reads or writes to Intercom conversations may be processing PHI. Review active integrations before deploying Intercom in a patient-facing context. Each may be a subprocessor requiring its own HIPAA assessment.

Practical Assessment for Small Clinics

Most small medical clinics don’t need Intercom. The EHR’s patient portal handles appointment requests, prescription inquiries, and secure messaging with access controls and audit logging already in place.

Intercom earns its place when the clinic receives high inquiry volumes the EHR portal can’t handle, or when website chat needs to route both patient and non-patient visitors differently.

If Intercom is the right tool: confirm BAA coverage on your specific plan, execute the BAA, configure inbox access controls, assess AI features, review integrations, then go live.