Documentation Index
Fetch the complete documentation index at: https://chatbase.co/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Chatbase is HIPAA-eligible for Enterprise customers. A workspace becomes HIPAA compliant once two things are in place:- A signed Business Associate Agreement (BAA) between Chatbase and the Covered Entity or Business Associate .
- Zero Data Retention (ZDR), which Chatbase enables automatically on the workspace after the BAA is in effect.
How HIPAA compliance works in Chatbase
- The customer (the covered entity or business associate) signs a Business Associate Agreement with Chatbase. BAAs are available on the Enterprise plan only.
- Chatbase marks the workspace as HIPAA compliant and automatically enables Zero Data Retention on it. The customer does not toggle ZDR manually.
- From that point on, the safeguards in the next section take effect automatically across the workspace and its AI agents.
Shared responsibility model
HIPAA compliance is a shared responsibility between Chatbase and our customers. The sections below outline what we cover and what remains your responsibility.Chatbase’s responsibilities
- Direct liability — As a business associate, Chatbase is directly accountable for complying with the applicable provisions of the HIPAA Rules. This means we implement the safeguards required to protect electronic Protected Health Information (ePHI) and notify customers of any qualifying breach.
- BAA compliance — Chatbase upholds the terms of every BAA we sign, including the appropriate administrative, physical, and technical safeguards needed to protect ePHI across our platform.
- Vendor management — Any sub-processors or vendors with potential access to ePHI must themselves comply with HIPAA. Chatbase manages this by signing a BAA with such vendors.
- Enforcing Zero Data Retention — Once a workspace is marked HIPAA compliant, Chatbase automatically enables and enforces Zero Data Retention on it. ZDR redacts the entire content of every message in chat logs and leads across the workspace — not just specific PII or PHI fields — so no message text is retained. Customers do not need to configure ZDR themselves.
- Internal logs — All conversation messages and user-identifiable data are redacted from Chatbase’s internal logs.
- Internal audit logging — Chatbase maintains internal audit logs that record HIPAA-relevant events on HIPAA-compliant accounts, supporting investigation and accountability.
Your responsibilities
- Sources and training data — Do not upload PHI or PII into sources. You are responsible for the content you ingest into your agent’s knowledge base.
- Contacts and contact attributes — You are responsible for the data you store on contact records and their custom attributes.
- Two-factor authentication (2FA) — All workspace members must enable 2FA on their accounts. See Two-factor authentication for setup steps.
Features disabled by default
Chatbase disables the following features by default on HIPAA-compliant workspaces. Even with these defaults in place, you remain responsible for ensuring that your team does not attempt to use any of them with PHI:- Voice-recording retention
- Topic analysis
- Sentiment analysis
- Daily chats email digest
- Daily leads email digest
- Knowledge gaps analysis
- Chatbase Helpdesk (currently disabled)
- End-user Attachments (currently disabled)
HIPAA Compliant AI providers
Only the following providers are available on a HIPAA-compliant workspace.Large language models (LLM)
Any model offered by:- OpenAI
- Anthropic
Speech-to-text (STT)
- Deepgram
- Cartesia
On HIPAA-compliant accounts:
- Some voices are restricted and will not be available for selection in the voice picker.
- Configuring a custom voice is curerntly not available.
HIPAA-Compliant Channels
The following deploy channels can be used on a HIPAA-compliant workspace:- Chat widget (web embed)
- Help page
- API
- Phone (voice)
- Android SDK
- iOS SDK
- WordPress
- Shopify
- Zendesk
- Zendesk Messaging
- Salesforce
- Zapier
HIPAA Compliant Integrations
The following integrations are HIPAA compliant on Chatbase:- Shopify
- Stripe
- Calendly
Conditionally HIPAA compliant integrations
The following integrations are HIPAA compliant only if the covered entity has their own BAA in place with the connected provider:- Zendesk
- Zendesk Messaging
- Salesforce
- Intercom
- Freshdesk
- HubSpot
- Zoho Desk
- Help Scout
- Slack
HIPAA Compliant Actions
The following actions are HIPAA compliant:- Collect leads
- Custom button
- Custom action
- Custom form
- Customize suggested messages
- Web search
- Slack notify
- Cal.com: Get available slots
- Calendly: Get available slots
- Stripe actions
- Shopify actions
Conditionally HIPAA compliant actions
The following actions are HIPAA compliant only if the covered entity has their own BAA in place with the connected provider:- Escalate action
- Zendesk Messaging live chat action
Conversation lifecycle and API behavior
Conversation auto-end rules
On a HIPAA workspace, an ongoing conversation ends automatically when either of the following is true:- The conversation has been idle for more than 12 hours, or
- The conversation is more than 7 days old.
API behavior
The/conversations endpoints in both API v1 and API v2 return redacted conversation data on a HIPAA workspace.
Requesting a BAA
HIPAA support is available on the Enterprise plan. To request a BAA, contact your account representative or get in touch with the Chatbase sales team.Contact Enterprise sales
Submit the Enterprise contact form to start the BAA process and discuss HIPAA-compliant deployment for your workspace.