Zendesk offers support, sales, and customer engagement software. Healthcare providers can use the Zendesk Support Suite to provide virtual patient care via phone, chat, email, text, and mobile. Is Zendesk HIPAA Compliant? For Zendesk to be HIPAA compliant, it must offer security controls that can be configured to meet the HIPAA Security Rule requirements. Zendesk must also be willing to enter into a business associate agreement with providers.
Is Zendesk HIPAA Compliant? Business Associate Agreement
HIPAA regulations require that a healthcare provider enter into a business associate agreement with vendors before those vendors can create, receive, maintain, store, or transmit electronic protected health information (ePHI) on the provider’s behalf. The business associate agreement (BAA) is a written contract requiring each party to do certain things. The contract requires the vendor (the business associate) to implement safeguards to keep the ePHI it creates, receives, maintains, stores, or transmits, secure. Where a covered entity knows of a material breach or violation by the business associate of the contract, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, the covered entity must terminate the contract or arrangement
Zendesk is willing to enter into a business associate agreement with healthcare providers. Zendesk’s business associate agreement requires a healthcare provider to implement and comply with Zendesk security configurations for any and all HIPAA enabled accounts.
Is Zendesk HIPAA Compliant? Security Controls
Under the Zendesk business associate agreement, the following minimum security configurations must be put into place for the software to be HIPAA compliant:
◈ The password security level must be set to “High.”
◈ The provider must enable and enforce two-factor authentication natively within the Zendesk service.
◈ Administrative controls that permit administrators to set passwords for end-users must be disabled.
◈ If the authentication method is SSO (single-sign-on), the password requirements may not be less secure than those established under the Zendesk “High” password setting. (Single sign-on is an authentication process that allows a user to log in with a single ID and password to any of several related, but independent, software systems).
◈ If SSO is used as the authentication method, password access must be disabled.
◈ Secure Socket Layer (SSL) encryption on HIPAA enabled accounts must be and remain enabled at all times.
◈ Permissions that are granted must allow for the least privilege needed to accomplish the required task(s).
◈ The provider must enable “require authentication for download” in order to require authentication to access attachments.
◈ The provider must enforce a password-locked or startup screen set to engage at a maximum of fifteen (15) minutes of system inactivity.
Once a provider signs the business associate agreement and correctly configures the security controls, the Zendesk service has been rendered HIPAA compliant, and the provider may share PHI with Zendesk.
For more information on Zendesk and HIPAA, please click here.