Zendesk is HIPAA compliant for covered services in HIPAA-enabled Service Plans or HIPAA-enabled Add-Ons when a HIPAA Covered Entity or Business Associate enters into Zendesk’s Business Associate Agreement and configures the services to comply with Zendesk’s Security Configuration Requirements before using the platform with Protected Health Information (PHI).
Zendesk is a customer experience platform originally designed as a customer service solution and now also includes sales, customer management, and workforce productivity services. By default, Zendesk is not HIPAA compliant because the Main Services Agreement prohibits customers from storing or transmitting PHI unless Zendesk expressly agrees otherwise in writing. Customers can subscribe to a HIPAA-enabled Zendesk Suite plan or purchase a HIPAA-enabled Add-On such as the Advanced Data Privacy and Protection Add-On, which includes access logs, advanced encryption, redaction capabilities, and data retention policies.
Zendesk provides its Business Associate Agreement as an addendum to the Main Services Agreement or Service Order Form rather than signing a customer-provided agreement. The addendum contains the terms required for a Business Associate Agreement, assigns responsibilities to each party, and identifies which Zendesk services are covered. Zendesk indicates that the list of covered services may change based on its Advanced Compliance information. Depending on use, third party apps and integrations may need to be disabled or covered by separate Business Associate Agreements.
Zendesk indicates that it does not maintain PHI in designated record sets. Individuals’ requests to obtain copies of PHI and requests to correct PHI remain the responsibility of the HIPAA Covered Entity or Business Associate under the HIPAA Privacy Rule when Zendesk is used.
Zendesk requires customers to implement the Security Configuration Requirements as a condition of the Business Associate Agreement, and failure to comply can result in termination of the service. The requirements largely reflect controls associated with the HIPAA Security Rule Technical Safeguards, including user authentication and automatic logoff. Notification settings require administrative review to prevent disclosures of PHI when the platform sends support ticket acknowledgements by email.
Users require training on permitted use under Zendesk’s terms and conditions and on secure access practices when connecting via personal mobile devices, because the Security Configuration Requirements include restrictions on how mobile devices are configured to secure PHI stored on the platform.