How to Make Zendesk HIPAA Compliant
As one of the most popular and trusted software solutions for customer service and support ticketing, Zendesk has a well-deserved reputation for outstanding data security. Even the most basic Zendesk subscriber plans include substantial security services, including DDoS protection, AES-256 key encryption, and a dedicated data security team that’s on duty 24/7. Zendesk’s software even meets the stringent requirements for ISO 27001, ISO 27018, and SOC 2 Type II certification for information security, cybersecurity, and privacy protection. By any metric, that’s a serious amount of data security.
And yet there’s one major data security standard that the out-of-the-box stock version of Zendesk isn’t compliant: HIPAA.
There’s actually a good reason for this lack of compliance. The Health Insurance Portability and Accountability Act of 1996—better known in the healthcare industry as HIPAA—doesn’t have an official certification program. Instead, HIPAA outlines a set of protections for Personally Identifiable Information (PII) and other Protected Health Information (PHI), which must be regularly audited to demonstrate that patient data is safe from fraud, theft, and abuse. A customer support system that offered top-of-the-line data security in 1996 would be completely inadequate for protecting those sensitive patient records from today’s hackers and scammers.
Healthcare database systems are extremely attractive targets for online criminals, as PII and PHI can be used for everything from fraud to blackmail. A criminal who successfully hacked into a healthcare company’s customer service and support database could wreck thousands of lives with just a few keystrokes. So companies that handle PHI can’t just buy off-the-shelf solutions, even when those solutions already offer high levels of security.
HIPAA’s security standards are designed to keep PII and PHI as secure as possible, and these standards are designed to be continually updated as technology evolves.
Systems designed to meet these requirements would be overkill for most Zendesk customers. And implementing them for every subscription level would dramatically increase the price of Zendesk’s software. As a result, Zendesk only offers HIPAA compliance as an add-on feature for customers who truly need it.
Unsurprisingly, some additional costs and technical requirements for a HIPAA-compliant Zendesk solution exist. For example, this feature is only available to Enterprise-level Zendesk subscribers, which has a much higher per-user cost than their lower-tier options. Customers must also purchase the Advanced Security add-on and sign Zendesk’s Business Associate Agreement (BAA), which adds further conditions to the standard customer contract. In addition, customers may need to invest in more technology and security systems before their Zendesk install meets HIPAA standards.
All of these steps and costs are necessary if you’re going to create a HIPAA-compliant system. It’s a major investment, and it’s non-negotiable for any company that handles PII and PHI data. After all, the goal is to protect your customers from harm, fraud, theft, extortion, embarrassment, and worse. But these costs pale in comparison to the risk of liability that comes from using an inadequate HIPAA solution for your customer service and support ticketing.
There is Good News However!
The good news is that you can seek out a Zendesk Partner that has undergone the HIPAA compliance certifications, training, and audits, in order to configure your Zendesk Instance to be HIPAA compliant…and Faye has done this.
To learn more about the ways your company can use Zendesk to meet HIPAA requirements, contact Faye for a free consultation.