Is Zendesk HIPAA Compliant?

Is Zendesk HIPAA compliant? Can Zendesk products be used by healthcare organizations in the United States for communicating with patients? In this post we explore the Zendesk platform and assess whether it has the necessary privacy and security controls to comply with HIPAA and if the company’s products can be used in connection with electronic protected health information.

What is Zendesk?

Zendesk is a San Francisco based customer service software and support ticketing system provider used by more than 200,000 companies for managing customer queries, providing support, and building customer relationships. The platform incudes Zendesk Support – a call center and ticketing system; Zendesk Chat – a web and mobile messaging system, and the customer service analytics solution Zendesk Insights.

Zendesk Privacy and Security Controls

Zendesk has implemented physical security controls at its facilities to prevent unauthorized data access and has round the clock surveillance and uses multi-factor authentication. Its network is protected by firewalls, with DoS and DDoS prevention solutions to ensure availability of customer data. Zendesk performs regular vulnerability scans and conducts penetration tests to ensure the continued security of its system. Customer data is isolated to prevent unauthorized access and data is protected with encryption in transit and at rest.

Zendesk Business Associate Agreement

In 2015 Zendesk launched a HIPAA compliance program to open up its solutions to the healthcare industry. Zendesk implemented enhanced security controls including encryption for data at rest and the addition of auditing controls to allow users to create and maintain logs of system activity. Zendesk also started signing business associate agreements with HIPAA-covered entities and their business associates.

The Zendesk business associate agreement covers the Zendesk infrastructure, Zendesk Support, Zendesk Chat, Zendesk Talk, and Zendesk Insights, with those products including special configurations for healthcare organizations to support HIPAA compliance.

While there is no officially recognized HIPAA certification program, Zendesk has undergone internal HIPAA audits and the company has attained SOC2 and ISO27001/ISO27018 certifications.

The Zendesk platform does not include all of the necessary HIPAA controls as standard. Healthcare organizations must pay for the advanced security add-on and plan/purchase thresholds apply.

Is Zendesk HIPAA Compliant?

Zendesk can be HIPAA compliant, provided users configure the solution correctly and enter into a business associate agreement with Zendesk.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.