Under HIPAA, Freshworks, the SaaS provider offering Freshdesk, is considered a business associate when working with healthcare clients to manage their CRM. In the past, Freshdesk HIPAA compliance was not possible, as the company was unwilling to sign a business associate agreement (BAA). A BAA is a legal document that is required by the Health Insurance Portability and Accountability Act (HIPAA), mandating that HIPAA business associates (BAs) have safeguards in place securing electronic protected health information (ePHI) in order to be compliant.
Freshworks has recently enabled Freshdesk HIPAA compliance by signing BAAs with their healthcare clients. However, the BAA ONLY covers Freshdesk, not extending to Freshworks’ other services. To use Freshdesk in accordance with HIPAA standards, there are other requirements that must be configured and enabled other than signing a BAA.
What is Required for Freshdesk HIPAA Compliance?
Freshdesk HIPAA compliance comes down to how it is configured.
The following configurations must be implemented for Freshdesk HIPAA compliance:
- Freshconnect: this Freshdesk feature must be disabled for HIPAA compliance.
- Custom Mailbox: this feature allows users to configure their own custom mail server with Freshdesk. With custom mailbox turned on, users have full control over incoming and outgoing emails, allowing users to manage emails. Learn more here.
- IP Whitelisting: allows administrators to allow access to their support portal to only users with an IP address approved by the administrator. Learn more here.
- SAML SSO: Security Assertion Markup Language (SAML) is a means for communicating identities between two web applications. SAML enables the utilization of single-sign-on (SSO); SSO is a means for users to use a single login credential for multiple platforms. SSO reduces identity theft by validating users logging into the support portal. Learn more here.
- SSL: SSL is enabled for all users that host their support portal on freshdesk.com (yourcompany.freshdesk.com). However, when companies utilize a custom domain for their support portal (support.yourcompany.com), they need to configure a custom SSL certificate. Learn more here.
Other Configuration Recommendations
There are additional protections that Freshworks recommends Freshdesk users implement for Fredesk HIPAA compliance. Although they are not required, users should consider implementing them to further their ePHI security.
- Secure Data Migration: Freshdesk enables secure data migration without the need for user’s data to be stored in Freshworks local database. Learn more here.
- Data Sanitization: masks sensitive data in the patient conversation, preventing unauthorized access.
- Data Encryption: although not mandated for Freshdesk HIPAA compliance, data encryption converts sensitive data into a format that is unreadable for anyone without a decryption key. Freshdesk enables users to add an encrypted single line field in users’ forms. However, default fields cannot be encrypted, and therefore should not be used for ePHI. Freshworks recommends that any PHI be stored in a custom encrypted field.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.