The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Zendesk HIPAA Compliant?

Posted By on Feb 1, 2024

Zendesk is HIPAA compliant for covered services in HIPAA-enabled Service Plans, provided organizations agree to the terms of Zendesk’s Business Associate Agreement and configure services to comply with Zendesk’s Security Configuration Requirements. Depending on how the platform is used, it may also be necessary to disable third party apps and integrations, or enter into separate Business Associate Agreements with third party software vendors.

Zendesk is a customer experience platform that was originally designed as a customer service solution but now also includes sales, customer management, and workforce productivity services. By default, Zendesk is not HIPAA compliant because it prohibits customers from storing or transmitting  Protected Health Information (PHI) under §2.3 of the Main Services Agreement unless “expressly agreed to otherwise by Zendesk in writing”.

However, because many customers want to use the platform to create, collect, store, or transmit PHI, Zendesk provides a number of options for overcoming this prohibition. These include subscribing to a HIPAA-enabled Zendesk Suite plan, or purchasing a HIPAA-enabled Add-On such as the Advanced Data Privacy and Protection Add-On which includes access logs, advanced encryption, redaction capabilities, and data retention policies.

The Zendesk Business Associate Agreement

Like many software providers, Zendesk does not sign customers’ Business Associate Agreements but instead provides a “one-size-fits-all” addendum to the Main Services Agreement/Service Order Form. The addendum covers all the necessary terms of a Business Associate Agreement and lists the responsibilities of both parties. It also lists which Zendesk services are covered by the agreement – which may be subject to change according to Zendesk’s “Advanced Compliance” web page.

HIPAA Compliant
Patient Communication
Software

Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity

Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems

Your Privacy Respected

HIPAA Journal Privacy Policy

The Advanced Compliance web page also notes that Zendesk does not maintain PHI in designated records sets. This means Zendesk is not required to comply with individuals’ request to obtain copies of PHI or make corrections to PHI at the customer’s request. Under the terms of the Business Associate Agreement, covered entities and business associates are solely responsible for complying with the patients’  rights requirements of the Privacy Rule.

Making Zendesk HIPAA Compliant

In addition to subscribing to a HIPAA-enabled Service Plan or Add-On and signing Zendesk’s Business Associate Agreement, it is also necessary for covered entities and business associates to configure services according to the Security Configuration Requirements to make Zendesk HIPAA compliant. This is not an “optional” requirement. It is a condition of the Business Associate Agreement, and customers that fail to make Zendesk HIPAA compliant could see the service terminated.

The Security Configuration Requirements are not particularly complicated for a system administrator with experience of the Security Rule, as they mostly consist of controls to meet the requirements of the Technical Safeguards (i.e., user authentication, automatic logoff, etc.). However, admins are advised to take care over how notifications are configured to prevent disclosures of PHI when the platform sends an acknowledgement of a support ticket by email.

Why User Training is Important

It is not only necessary to make Zendesk HIPAA compliant if covered services are going to be used to create, collect, store, or transmit PHI, but it is also important to train users on how to use Zendesk in compliance with its terms and conditions – particularly when users connect to Zendesk via personal mobile devices. This is because Zendesk places restrictions on how mobile devices are configured to secure PHI stored on the platform (see Section VIII of the Security Configuration Requirements).

In addition to training users to use Zendesk in compliance with its terms and conditions, it may also be important to train users how to use Zendesk in compliance with HIPAA – especially with regards to permissible uses and disclosures and the minimum necessary standard. Organizations who are unsure about how these HIPAA compliance requirements may affect their use of the Zendesk platform should seek professional compliance advice.

 

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist