
Zendesk is a customer service platform that has become a popular choice for healthcare organizations due to its flexibility and scalability.
To ensure HIPAA compliance, Zendesk provides a feature called "Custom Fields" that allows administrators to collect and store sensitive patient data in a secure manner.
This feature is particularly useful for healthcare organizations that need to collect and store patient information, such as medical history and treatment plans.
Zendesk's HIPAA compliance also includes automatic data encryption, ensuring that sensitive data is protected from unauthorized access.
In addition, Zendesk's audit logs provide a clear record of all user activity, making it easier to track and investigate potential security breaches.
Support for Healthcare
Zendesk can help healthcare providers in various ways. It offers features that cater to patient support, such as creating tickets for customer inquiries and providing live support and chat.
Zendesk's AI-powered bots can predict customer needs and provide prompt solutions, making it easier for patients to get the help they need. These bots are trained on frequently asked issues, ensuring that patients receive accurate and timely assistance.
To ensure HIPAA compliance, Zendesk offers a Business Associate Agreement (BAA) that healthcare organizations and Zendesk can sign. This agreement ensures the legal accountability of both parties to safeguard Protected Health Information (PHI).
Broaden your view: Business Associate Contract Hipaa
Eligible Services
If you're a healthcare provider looking to use Zendesk's support services, you'll be happy to know that some of their services are eligible for coverage by the Business Associate Agreement (BAA).
Zendesk Suite Professional or Enterprise plans cover a range of services, including Support (Ticketing System Functionality), Guide (Help Center Functionality), Gather (Community Forum Functionality), Chat (Live Chat Functionality) and Zendesk messaging, and Explore (Analytics Functionality).
These services are also available on the Zendesk Enterprise Support (legacy plan), which includes Support, Guide, Gather, Chat, and Zendesk messaging, as well as Explore.
Zendesk's Talk (Voice Functionality) is also eligible for coverage, excluding Text, on the Zendesk Talk Enterprise, Professional, or Advanced (legacy plans).
The following table summarizes the eligible services:
Note that any other Zendesk products or third-party services are not HIPAA-enabled, so be sure to review the exceptions to Advanced Security add-ons for more information.
Patient Support
Patient Support is a crucial aspect of healthcare, and Zendesk can help you provide top-notch support to your patients. Zendesk creates a ticket whenever patients inquire through email, phone, chat, or any channel, and they receive a notice confirming that your support team has received their request.
Zendesk's AI-powered bots are trained on frequently asked issues and can predict customer needs, providing prompt solutions. These bots can help reduce the workload of your support team and ensure that patients receive timely assistance.
Zendesk offers various features to help you give the best customer experience, including live support and chat. With Zendesk, patients can easily reach out to your support team and receive help whenever they need it.
Zendesk's ticketing system allows you to track and manage patient inquiries efficiently. This helps you stay organized and ensure that no patient is left without support.
Here are some of the services covered by Zendesk's Business Associate Agreement (BAA) for patient support:
Asking the Right Questions
Asking the right questions is crucial when searching for HIPAA-compliant SaaS applications.
You'll want to ask any SaaS provider about their compliance with the HIPAA Security Rule requirements, which can be found in the Ultimate HIPAA Security and Compliance FAQ.
Grab a copy of the Guide to HIPAA Compliance Checklist to get started on your questions.
This checklist will help you identify the important details to ask any SaaS provider as a HIPAA covered entity.
You can also use the free Zendesk Scanner to scan your entire Zendesk support instance for sensitive data.
This scanner can help you identify potential security risks and ensure you're compliant with HIPAA regulations.
Compliant Features
Zendesk offers several features to help you maintain HIPAA compliance.
Zendesk takes measures to ensure that your data is protected in the cloud by using HIPAA-compliant Amazon Web Services.
To maintain HIPAA compliance while using Zendesk, you can follow these steps: Purchase Advanced Compliance, sign the Business Associate Agreement (BAA), and follow HIPAA standards.
Zendesk requires customers to sign and execute a BAA to enable HIPAA compliance on Zendesk customer accounts.
Here are some specific security controls that must be put into place for Zendesk to be HIPAA compliant:
- Password security level must be set to "High."
- Two-factor authentication must be enabled and enforced.
- Single sign-on (SSO) must be used with password requirements that are not less secure than those established under the Zendesk "High" password setting.
- Password access must be disabled if SSO is used.
- Secure Socket Layer (SSL) encryption must be enabled at all times.
- Permissions must be granted for the least privilege needed to accomplish the required task(s).
- Password-locked or startup screen must be set to engage at a maximum of 15 minutes of system inactivity.
Security and Privacy
To ensure the security and confidentiality of sensitive data, Zendesk has implemented robust security controls.
The company requires a password security level of "High" to be set in the software.
Two-factor authentication must be enabled and enforced natively within the Zendesk service.
If single sign-on (SSO) is used as the authentication method, password requirements must not be less secure than those established under the Zendesk "High" password setting.
Password access must be disabled if SSO is used.
Secure Socket Layer (SSL) encryption on HIPAA-enabled accounts must be enabled at all times.
Permissions granted must allow for the least privilege needed to accomplish the required task(s).
A password-locked or startup screen must be set to engage at a maximum of 15 minutes of system inactivity.
Zendesk has also put in place physical security controls at its offices, including 24-hour surveillance with multi-factor authentication.
The company's network is safeguarded by firewalls, which also prevent DoS and DDoS attacks to ensure the availability of customer data.
Zendesk conducts constant vulnerability scans and penetration tests to ensure the ongoing security of its system.
Customer data is isolated to prevent unauthorized access.
Readers also liked: Pci Compliance Company
Business Associate Agreement
A Business Associate Agreement (BAA) is a written contract between a healthcare provider and a vendor that requires the vendor to implement safeguards to keep electronic protected health information (ePHI) secure.
HIPAA regulations require healthcare providers to enter into a BAA with vendors before they can create, receive, maintain, store, or transmit ePHI on the provider's behalf.
To be HIPAA compliant, healthcare providers must take reasonable steps to cure any material breach or violation by the business associate, and if that's unsuccessful, terminate the contract.
The BAA is a crucial step in ensuring the security of ePHI, and healthcare providers must carefully review and understand the terms of the agreement before signing.
Zendesk, for example, has implemented a HIPAA compliance program and offers a BAA to healthcare groups and their business associates.
This agreement incorporates Zendesk's infrastructure, Support, Chat, Talk, and Insights products, with special configurations to support HIPAA compliance.
Healthcare groups must pay for the advanced security add-on to access these controls, and plan/purchase thresholds apply.
By signing a BAA, healthcare providers can ensure that their vendors are taking the necessary steps to protect their patients' sensitive information.
For your interest: Sign Baa for Hipaa Compliance
Compliance Process
To ensure HIPAA compliance on Zendesk, you'll need to follow a specific process. This involves purchasing Advanced Compliance, which can be done directly or as part of a plan that includes this feature.
Zendesk offers two HIPAA-enabled plans: Suite Professional and Suite Enterprise. To get started, you'll need to purchase one of these plans.
Signing the Business Associate Agreement (BAA) is a critical step in the compliance process. Carefully review the agreement, complete the necessary information, and sign the last page to make it legally binding.
Here are the key conditions that must be met to maintain HIPAA compliance on Zendesk:
- Access to or upgrading to an appropriate service tier, such as Enterprise plan
- Secure agent authorization enabled through single sign on (SSO) or two factor authentication (2FA)
- Enabling SSL
- Restricting agent access to specific IP addresses
- Maintaining proper configurations of APIs
- Users must be authenticated to download attachments
- Agent, Admin, and Owner devices must be set to lock after 15 minutes of inactivity
- Users should not be given permissions to see updates for an entire organization or permissions to see access beyond the user's own tickets
Featured Images: pexels.com


