Is Zendesk Compliant With HIPAA Rules?

by

Zendesk is a platform offering customer service software and support ticketing system. Over 200,000 companies use Zendesk for handling customer support, managing customer queries and building relationships with clients. Can healthcare organizations in the U.S. also use Zendesk products and services for patient communication and electronic protected health information (ePHI) management? Is Zendesk compliant with HIPAA rules?

  • Zendesk offers the following products on their platform:
  • Zendesk Support, which is a call center and ticketing system
  • Zendesk Chat, which is an online and mobile messaging system
  • Zendesk Insights, which is a customer service analystics solution

Zendesk implements strict physical security controls including 24/7 surveillance and multi-factor authentication to prevent unauthorized persons from accessing data. Its network has a firewall protection and Dos/DDoS prevention solutions to make sure customer data is always available. Vulnerability scans and penetration tests are conducted regularly for continued security of Zendesk’s system. To secure customer data from unauthorized access, it is isolated and protected with encryption in transit and at rest.

In 2015, Zendesk began a HIPAA compliance program to allow the healthcare industry to use their platform. Enhancement included implementing security controls such as encryption of data at rest, creating access logs of system activities for auditing controls and implementing special configurations to support HIPAA compliance. Zendesk also signed business associate agreements with HIPAA-covered entities or business associates that want to use the Zendesk infrastructure, Zendesk Chat, Zendesk Support, Zendesk Insights and Zendesk Talk. Take note that healthcare organizations need to pay for the advanced HIPAA security controls for the features to be available in the platform.

HIPAA does not require any HIPAA certification. Nevertheless, Zendesk has passed internal HIPAA audits and has SOC2 and ISO27001/ISO27018 certifications.  So, can healthcare organizations use Zendesk? Is it HIPAA compliant? Yes, Zendesk is considered to be HIPAA compliant when covered entities or business associates configure the platform correctly and has a business associate agreement with Zendesk.