TL;DR

• Zendesk is a leading CRM platform that is used by healthcare organizations for multiple purposes, including sales and workforce productivity services.
• Although Zendesk can be configured to be HIPAA-compliant, as standard Zendesk is not fully HIPAA compliant.
• Zendesk offers the equivalent of a BAA to HIPAA covered entities.
• Storing sensitive data, such as PHI, in Zendesk presents compliance risks due to the lack of robust access controls and redaction features.
• Despite offering additional security measures, Zendesk’s standard configuration is still at risk of data leaks. For healthcare organizations handling PHI, there is a need for a robust Data Loss Prevention (DLP) solution that is not only HIPAA compliant but effective, at all times.
• Strac Zendesk DLP is a comprehensive data loss prevention solution that can automatically detect and redact sensitive data, ensuring your data remains protected, HIPAA compliant, and uncompromised.

Is Zendesk HIPAA Compliant?

In its standard configuration, Zendesk does not comply with HIPAA standards.  

Although Zendesk offers various security features intended to safeguard sensitive data, there are questions around the best way to go about handling Protected Health Information (PHI) in a HIPAA-compliant manner. Healthcare organizations must take steps to bring their use of Zendesk into compliance with HIPAA standards.

First, organizations must be subscribed to a Zendesk Suite plan or have purchased a HIPAA-compliant Zendesk add-on like the Advanced Data Privacy and Protection Add-On. 

Second, to bring their use of Zendesk into full compliance with HIPAA standards, covered entities such as organizations involved with healthcare must agree to a Business Associate Agreement (BAA) or equivalent with Zendesk.

Although Zendesk offers various security features intended to safeguard sensitive data, there are questions around the best way to go about handling PHI in a HIPAA-compliant manner. 

Will Zendesk Sign a Business Associate Agreement?

For a third-party provider to be considered HIPAA compliant, it must agree to the terms of a BAA with any customers classed as HIPAA covered entities that use its service for storing or processing PHI.

Like some other third-party software providers, Zendesk does not offer individual Business Associate Agreements to each of its customers. Instead, Zendesk offers a standardized addendum as part of its Main Services Agreement, that all customers agree to. 

Zendesk’s standardized addendum includes all of the essential terms usually covered in a BAA. For example, the addendum outlines the obligations of both parties and specifies which Zendesk services fall under the scope of the addendum. 

Can You Store Patient Data or PHI in Zendesk?

Zendesk can be configured to support the secure handling of PHI, but storing patient data and PHI in Zendesk carries significant compliance and data security risks. 

Whilst Zendesk does offer various security mechanisms, it lacks sensitive data detection protocols. This means that Zendesk’s security settings can’t be configured to automatically identify and redact sensitive comments and attachments within Zendesk help tickets and other communications.

Can PHI/Patient Data Be Leaked from Zendesk?

Yes, even with Zendesk’s additional security mechanisms, there will always be a risk of data leaks.

Data leaks can occur due to misconfigured settings, unauthorized access, or accidental sharing. To minimize these risks, healthcare organizations opt to implement additional data security mechanisms such as strong authentication methods, access controls and automated identification and redaction capabilities. 

Data security is also dependent on employees who are trained on how to properly handle sensitive data, in line with data privacy and security standards.

The persistent risks of leaks and non-compliance with data security standards highlights the need for robust data loss prevention solutions. Many organizations opt to ensure their customers' sensitive data is effectively protected through the use of a DLP solution.

How Can Strac Protect Companies Using Zendesk from Data Leaks?

As standard, Zendesk lacks native data loss prevention functionality. This gap leaves the healthcare organizations that use Zendesk as a multi-purpose CRM vulnerable to unauthorized access of sensitive data, accidental leaks and other employee mishaps.

Strac Zendesk DLP ensures your organization's use of Zendesk remains secure and fully compliant, at all times. 

Here's how Strac DLP integration works:

• Regulatory Compliance: Strac's DLP solutions maintain strict compliance with diverse standards such as PCI, SOC 2, HIPAA, ISO-27001, CCPA, GDPR, and NIST.
• Instantaneous Email Redactions: Strac's DLP actively identifies and corrects Zendesk data vulnerabilities instantly.
• Comprehensive Audit Overviews: Strac enhances transparency by documenting each Zendesk activity in detail, streamlining audit processes.
• Effortless Integration: Seamlessly integrate Strac with Zendesk for robust and continuous data protection.
• Specialized Protection Across the Board: Customized DLP solutions boost security within your specific Zendesk environment.
• AI Integration: Strac extends protection to AI interactions, integrating smoothly with LLM APIs and AI platforms like ChatGPT, Google Bard, and Microsoft Copilot, securing both AI applications and their processed data. More details are available in Strac's developer documentation.
• Pioneering Data Security Intel: Keep up with Strac’s leading insights on new data threats and vulnerabilities in Zendesk.
• Detailed Control & Configuration: Adjust your Zendesk security measures according to your needs. Refer to Strac’s catalog of sensitive data elements for more information.
• API Capabilities: Strac equips developers with APIs that facilitate the detection and redaction of sensitive data. Visit Strac’s API Docs for access.s

To learn more about how Strac ensures ongoing compliance with HIPAA standards, see our guide to HIPAA Compliance. 

Book a free 30-minute demo to learn how Strac can keep your business secure and fully compliant.