HIPAA Compliant Chatbots with Agentforce

The Problem

Chatbots are incredibly useful for consumers. However, retail use cases are far less complicated than healthcare ones. Hospital use cases for chatbots in healthcare carry tons of risk from a compliance and safety perspective, so many hospitals are hesitant to adopt them. The risk becomes even more significant when implementing conversational chatbots versus rule-based ones. Rule-based chatbots are easier to control because the inputs and responses are defined. However, conversational chatbots simulate conversations and generate responses to real-time input.

Problems with HIPAA Compliance

Conversational chatbots will probably handle some form of PHI throughout a conversation, whether a hospital intends it or not. Patients may submit the PHI in a question, or the chatbot itself may be integrated with an EHR or other system that holds PHI. Many chatbot companies don't have security measures in place to comply with HIPAA, like access controls or audit logging...and as a result, they do not sign business associate agreements.

Other Issues of Compliance

Several other laws regulate the use of conversational chatbots in addition to HIPAA. For instance, if a conversational chatbot recommends treatments, the FDA may regulate it as "Software as a Medical Device." These "moderate" to "high" risk items would require further clearance, such as 501(k) or premarket approval (PMA). If hospitals don't provide the proper scope for their chatbots, they could open themselves to significant liability.

Safety Concerns

Chatbots are prone to offering misinformation, also known as a hallucination. Hallucinations are much less of a concern in industries like retail, where a chatbot may give incorrect information about a pair of shoes. Sure, that might be annoying for a consumer…but misinformation can be deadly in healthcare. In many cases, hospitals are liable for the information a chatbot gives. So, they need to be very careful to limit the scope of a chatbot to prevent it from diagnosing, prescribing, or providing healthcare recommendations. In some cases, this may involve escalating to a person. Still, many chatbots don't have the feature set to ensure conversational chatbots are limited in scope only to allow conversations around approved topics.

Integration Challenges

A conversational chatbot's output will only be as good as the data it can access. As a result, the chatbot needs to be integrated with platforms that hold patient data, such as EHRs, scheduling systems, marketing tools, and more. Many chatbots don't integrate natively into these platforms and can't do so compliantly, so they will be very limited in how they can answer questions.

Service Issues

Let’s not forget the reason hospitals are implementing chatbots in the first place…improving patient experiences. Without automation, patients face long wait times while booking appointments, finding nearby providers, or filling out forms. Any inconvenience means they may seek care elsewhere, avoid care altogether, or drive down satisfaction scores.

The Solution

Salesforce solves the HIPAA-compliant chatbot use case with interoperable platforms for different purposes. These include Health Cloud for data unification and storage, Agentforce for conversational chat, and Experience Cloud for authentication.

Data Integration

Health Cloud stores patient data from various platforms, including EHRs, marketing systems, claims tools, and billing platforms. It's a HIPAA-compliant environment with secure data storage, necessary access controls, audit trails, logging, and a signed BAA. Health Cloud is a source of truth for all patient information, creating a unified patient profile that contains diagnoses, medications, preferences, marketing data, demographics, and more to make a complete picture of the patient.

Safety

Agentforce's flexibility makes it an ideal conversational chatbot for hospitals looking to improve patient experiences while remaining compliant and safe. The key is making sure the scope of Agentforce is limited to "Low-Risk" activities as classified by the FDA. By limiting the scope to functions that don't involve diagnosing or prescribing, Agentforce may lower hospitals' liability. HIPAA-safe activities include finding nearby services, checking eligibility, and scheduling appointments. Agentforce can also help out if higher-risk actions are needed. For instance, Agenforce can collect basic patient symptoms and transfer the conversation to a care team member in urgent or primary care.

Patient Identification

Everyone is different, and conversations in healthcare need to be personalized. Experience Cloud is a customizable portal that authenticates users. Authentication allows conversations to be personalized based on demographics, medical history, and more, making conversations much more meaningful.

The Results