Organizations that operate under the rules and regulations of HIPAA know that there are certain extra steps that need to be taken in order to verify that other organizations or softwares that you work with are also HIPAA compliant. We know that managing HIPAA internal compliance and signing business associate agreements with all other organizations can be time-consuming and confusing. To help clear up some of these questions and confusion, we will lay out everything you need to know about Zendesk and how to utilize this software in a HIPAA compliant manner down below.
What is Zendesk?
Zendesk is a San Francisco-based customer service software company that offers sales support with the ultimate goal of building strong customer relationships. Zendesk’s software is quick and easy to implement while also being scalable to individually fit each organization’s needs.
The Zendesk platform contains many products, including:
- Zendesk Support - a ticketing and call center system.
- Zendesk Insights - an analytics solution for customer service
- Zendesk Chat - a messaging system for both web and mobile use
- Zendesk Sunshine - a flexible CRM platform built on AWS
Zendesk provides best-in-class security for their software solution that uses strict security controls such as multi-factor authentication and constant surveillance of all interactions with data. Zendesk uses enterprise-class security including regular audits of their networks, applications and servers to ensure that all data that is run through them remains protected. Even better, Zendesk is a member of the Cloud Security Alliance (CSA) which is the not-for-profit, world leading organization in terms of dedication to “defining and raising awareness of best practices to help ensure a secure cloud computing environment.”
Now that we have established that Zendesk is a secure and trustworthy software provider, we will explore what that means for HIPAA compliant organizations in specific.
Zendesk and HIPAA Compliance:
Is Zendesk HIPAA Compliant?
Overall, Zendesk is HIPAA compliant when an organization uses the platform correctly and a business associate agreement is signed with them. It is important to note that not all of the necessary controls to make Zendesk HIPAA compliant are standard with the software. Healthcare organizations, like they have to with many other platforms, must pay for the “Advanced Compliance” add-on in order to fulfill the requirements for HIPAA. The HIPAA-compliant add-on is available for customers that are on the enterprise plan.
Signing a BAA with Zendesk?
It is extremely important for HIPAA covered entities and business associates to sign business associate agreements (BAAs) with each outside organization that they choose to share PHI with in any capacity. A BAA is a written contract between a covered entity and a business associate or a business associate and their subcontractor which specifies each party’s responsibilities when it comes to managing protected health information (PHI).
Within the Advanced Compliance add-on that we mentioned above, you will have the ability to sign a business associate agreement with Zendesk. This BAA covers the Zendesk platform including Zendesk Support, Zendesk Insights, Zendesk Chat, and other products.
You’ve made Zendesk HIPAA Compliant... Now What?
A common misconception for organizations that need to comply with HIPAA, is that they have reached full compliance after only a couple of steps. While it is important to ensure that you are utilizing Zendesk in a manner that complies with HIPAA and keeps your protected health information entirely secure. However, HIPAA compliance is a complicated and multi-step process that companies must follow through to the very end in order to be safe from a breach or audit.
Just because you have ensured that your Zendesk usage is compliant or just because your employees are trained yearly, does not mean that your entire organization is HIPAA compliant. If you are unsure of whether you meet the compliance standards, feel free to utilize our free risk assessment in order to determine potential spots of weakness in your organization’s compliance.