Is Zendesk HIPAA Compliant?
Zendesk is HIPAA compliant for covered services in HIPAA-enabled Service Plans, provided organizations agree to the terms of Zendesk’s Business Associate Agreement and configure services to comply with Zendesk’s Security Configuration Requirements. Depending on how the platform is used, it may also be necessary to disable third party apps and integrations, or enter into separate Business Associate Agreements with third party software vendors.
Zendesk is a customer experience platform that was originally designed as a customer service solution but now also includes sales, customer management, and workforce productivity services. By default, Zendesk is not HIPAA compliant because it prohibits customers from storing or transmitting Protected Health Information (PHI) under §2.3 of the Main Services Agreement unless “expressly agreed to otherwise by Zendesk in writing”.
However, because many customers want to use the platform to create, collect, store, or transmit PHI, Zendesk provides a number of options for overcoming this prohibition. These include subscribing to a HIPAA-enabled Zendesk Suite plan, or purchasing a HIPAA-enabled Add-On such as the Advanced Data Privacy and Protection Add-On which includes access logs, advanced encryption, redaction capabilities, and data retention policies.
The Zendesk Business Associate Agreement
Like many software providers, Zendesk does not sign customers’ Business Associate Agreements but instead provides a “one-size-fits-all” addendum to the Main Services Agreement/Service Order Form. The addendum covers all the necessary terms of a Business Associate Agreement and lists the responsibilities of both parties. It also lists which Zendesk services are covered by the agreement – which may be subject to change according to Zendesk’s “Advanced Compliance” web page.
HIPAA Compliant
Patient Communication
Software
Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
The Advanced Compliance web page also notes that Zendesk does not maintain PHI in designated records sets. This means Zendesk is not required to comply with individuals’ request to obtain copies of PHI or make corrections to PHI at the customer’s request. Under the terms of the Business Associate Agreement, covered entities and business associates are solely responsible for complying with the patients’ rights requirements of the Privacy Rule.
Making Zendesk HIPAA Compliant
In addition to subscribing to a HIPAA-enabled Service Plan or Add-On and signing Zendesk’s Business Associate Agreement, it is also necessary for covered entities and business associates to configure services according to the Security Configuration Requirements to make Zendesk HIPAA compliant. This is not an “optional” requirement. It is a condition of the Business Associate Agreement, and customers that fail to make Zendesk HIPAA compliant could see the service terminated.
The Security Configuration Requirements are not particularly complicated for a system administrator with experience of the Security Rule, as they mostly consist of controls to meet the requirements of the Technical Safeguards (i.e., user authentication, automatic logoff, etc.). However, admins are advised to take care over how notifications are configured to prevent disclosures of PHI when the platform sends an acknowledgement of a support ticket by email.
Why User Training is Important
It is not only necessary to make Zendesk HIPAA compliant if covered services are going to be used to create, collect, store, or transmit PHI, but it is also important to train users on how to use Zendesk in compliance with its terms and conditions – particularly when users connect to Zendesk via personal mobile devices. This is because Zendesk places restrictions on how mobile devices are configured to secure PHI stored on the platform (see Section VIII of the Security Configuration Requirements).
In addition to training users to use Zendesk in compliance with its terms and conditions, it may also be important to train users how to use Zendesk in compliance with HIPAA – especially with regards to permissible uses and disclosures and the minimum necessary standard. Organizations who are unsure about how these HIPAA compliance requirements may affect their use of the Zendesk platform should seek professional compliance advice.