All capitalized terms used in this document shall have the meanings given to them in Zendesk's Business Associate Agreement ("BAA").
Zendesk and Subscriber have entered into that certain Business Associate Agreement (“BAA”) which requires that Subscriber implement and comply with the following configurations for any and all HIPAA Enabled Account(s) before introducing any Protected Health Information into the Services. All capitalized terms used in this document shall have the meanings given to them in the BAA.
Subscriber’s failure to implement and comply with any particular configuration listed below, or any series of required configurations listed below, shall be at Subscriber’s own risk and at Subscriber’s sole discretion; and such failure shall relieve Zendesk and its employees, agents, and affiliates of any responsibility with respect to any unauthorized access to, or improper use or disclosure of, Subscriber’s Service Data, including any electronic Protected Health Information, that results from such failure by Subscriber.
The following minimum Security Configurations for Zendesk Support must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Secure Agent authentication through one of the two following methods:
- Employing native Zendesk Support with password settings: (i) set to “High” as described at https://support.zendesk.com/hc/en-us/articles/203663736-Setting-the-password-security-level-for-your-Zendesk-Professional-and-Enterprise-; or (ii) customized by Subscriber in a manner that establishes requirements not less secure than those established under the “High” setting. Additionally, under the option in this subsection Subscriber must also enable and enforce 2-factor authentication natively within the Service; and, administrative controls that permit administrators to set passwords for End-Users must be disabled; or
- Utilizing an external “single-sign on” solution with established requirements not less secure than those established under the Zendesk "High" password setting and enabling and enforcing 2-factor authentication within the selected solution for all Agents’ access. Administrative controls that permits administrators to set passwords for End-Users must be disabled.
- All authentication choices utilizing SSO as the authentication method must disable password access as described in this article: https://support.zendesk.com/hc/en-us/articles/203663766#topic_nxw_j4m_h3.
- Secure Socket Layer encryption on HIPAA Enabled Account(s) must be and remain enabled at all times. HIPAA Enabled Accounts which utilize a domain other than zendesk.com must establish and maintain hosted SSL as described at: https://support.zendesk.com/hc/en-us/articles/203663726.
- Agent access must be restricted to specific IP addresses under the control of Subscriber as described at https://support.zendesk.com/hc/en-us/articles/203663706 and https://chat.zendesk.com/hc/en-us/articles/212679837 unless Subscriber enables multi-factor authentication for agents as described above in requirements 1.a or 1.b (either natively within the Service, or within the Subscriber’s environment as coupled with Enterprise SSO) For the avoidance of doubt, “Agent access” shall denote the access granted to a human agent accessing Service Data via the UI (user interface).
- To the extent Subscriber’s HIPAA Enabled Account enables calls to Zendesk APIs, Subscriber shall assume all responsibility for understanding the security implications of all Subscriber or third party entities allowed to create, access, modify, or delete Service Data and PHI via such access and/or integrations. For access to said API’s, Subscriber shall implement the following security best practices based on the API model used:
- OAuth 2.0 approach. This model provides the most granular security capabilities, but requires that entitlements be accepted by an End-User. Where possible, the Subscriber will utilize the OAuth 2.0 approach and authentication scheme as described at: https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application. Subscriber will give each OAuth client a descriptive and unique Client Name and Unique Identifier designating function. Permissions granted for each OAuth token should allow for the least privilege needed to accomplish the required task(s).
- REST API token approach. This model is the broadest, and allows an API token to utilize the full functionality of the API model. By its nature, it provides the widest access and capabilities and should be used with caution. When using this approach, Subscriber will (i) use a unique token for each service and give the token a descriptive name designating function; (ii) not share API tokens with any third-party unless reasonably required and pursuant to transmission methods which are encrypted from end-to-end; (iii) acknowledge that if API token is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber will rotate the associated token immediately; and (iv) at a minimum, rotate the token once every one hundred and eighty (180) days. Subscriber shall follow Service’s REST API Terms of Service located here: https://www.zendesk.com/company/customers-partners/application-developer-api-license-agreement/.
- Subscriber must enable ‘require authentication for download’ in order to require authentication to access attachments as described at https://support.zendesk.com/hc/en-us/articles/204265396.
- Subscriber must systematically enforce, on all Agents, Admins, and Owners accessed endpoints, a password-locked screensaver or startup screen set to engage at a maximum of fifteen (15) minutes of system inactivity.
- Subscriber must not alter viewing permissions which allow a user to see updates for an entire org or alter the default setting allowing access beyond the user's own tickets alone must not be changed.
- Subscriber acknowledges that Zendesk is not responsible for securing email transmissions from End-Users, and related Service Data, prior to being received into Subscriber’s Zendesk Support instance. This includes any PHI that may be passed through email via replies to Zendesk Support tickets, including but not limited to, ticket comments or attachments.
- Subscriber acknowledges that Zendesk Support sends an email out to an End-User when a Subscriber’s Agent responds to a Zendesk Support ticket. By default, this email contains whatever correspondence the Agent has sent back to the End-User, and potentially could include PHI. To further protect Subscriber, their Zendesk Support instance should be configured to only alert the End-User that an Agent has responded, and require the End-User to authenticate into Zendesk Support to see the contents of the message. This custom configuration is covered in the following Zendesk article: https://support.zendesk.com/hc/en-us/articles/216845398.
- Subscriber acknowledges that any text message functionality leveraged at its sole discretion across any Zendesk Service is underpinned by SMS and/or related protocols, which may involve the unencrypted transmission of messages being sent into, or out of the Service(s). As such, text message functionality should either:
- not be used in a HIPAA Enabled Account*, or
- if used, the Subscriber assumes all responsibility for the usage of such functionality
* For the avoidance of doubt, the data caveats related to ePHI in section 10 regarding SMS do not apply to in-product 2FA usage (as described in section 1.a) as such functionality merely sends out a numerical string for identity verification.
The following minimum Security Configurations for the Zendesk Guide Service must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Subscriber must have purchased and be a current subscriber of Zendesk Support Enterprise, Zendesk Guide Service, and the Advanced Security Deployed Associated Service.
- Subscriber acknowledges that the Guide and Gather Services are public by nature (where not leveraging IP restrictions for “internal” help centers) and therefore Subscriber shall ensure that any articles in Zendesk Guide or Gather Service do not include PHI, either through the text of the article or as an attachment to, or image within the article.
- Subscriber shall either disable the ability for End-Users to add comments in Zendesk Guide Service described at: https://support.zendesk.com/hc/en-us/articles/115002382627 or, shall moderate all comments (as denoted in section 4 below) and assume responsibility for removing sensitive information including PHI from said comments.
- Where Zendesk Guide Service is Guide Professional or Enterprise, Subscribers should, when possible, disable the ability for end users to create new posts by turning off the Gather functionality with Zendesk Guide as described here https://support.zendesk.com/hc/en-us/articles/217377008 or, when turning off Gather features cannot be pursued due to the Subscriber’s intended use case for their help center, Subscribers shall enable content moderation in Zendesk Guide Service and set to "Moderate all content" at: https://support.zendesk.com/hc/en-us/articles/203664466. No submissions containing PHI shall be approved.
- Subscriber use of non-employee “Community Moderators” within the Gather Service shall not be allowed.
- Subscriber acknowledges that “@mentions” of Gather community members are possible where allowing for end users to have public profiles and should this functionality be deemed a risk in their use case, public profiles shall be turned off as per this article https://support.zendesk.com/hc/en-us/articles/221136307-Enabling-and-disabling-profiles-in-your-Help-Center-Guide-Professional-and-Enterprise-
For subscribers who have signed Zendesk’s BAA, the following Zendesk Insights Configuration must be complied with for any HIPAA Enabled Account(s):
Subscriber shall configure all HIPAA Enabled Account(s) so (i) that PHI will not be contained within any custom fields or ticket title established within Zendesk; or (ii) where Subscriber does establish such a custom field, Subscriber is solely responsible for contacting Zendesk Support to exclude such custom field from Zendesk Insights reporting.
The following minimum Security Configurations for the Zendesk Chat Service must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Subscriber shall purchase and maintain subscription to: Zendesk Support Enterprise; Zendesk Chat Enterprise; and Advanced Security Deployed Associated Service (“Add-On”).
- Subscriber shall limit Agents’ access to the Zendesk Chat Service by coupling with and authenticating via the Zendesk Support Service.
- Subscriber shall disable email piping as described here: https://support.zendesk.com/hc/en-us/articles/360022366033
- Subscriber shall either disallow the use of attachments in Chat or assume all responsibility for ensuring said attachments contain no PHI or other sensitive information.
The following minimum Security Configurations for usage of Zendesk Explore Service must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
Subscriber acknowledges that ePHI may be surfaced in the Explore product via usernames, ticket titles, field and form choices, and any content found in free form text fields.
- For any in-scope Service instance(s) containing PHI, Subscriber shall (i) only grant access to the Explore interface to agents who can access all tickets/calls/chats which may contain PHI in the parent Service instance(s), and (ii) shall grant such access taking into account the least amount of privileges necessary for the use of Explore in their environment. For more information on configuring access levels in Explore, please see: https://explore.zendesk.com/hc/en-us/articles/360019099014
- Where leveraging the "export" functionality, (i) Subscriber acknowledges that PHI may be transferred to device allowed by Subscriber to access agent's interface and all attendant controls on such device(s) are the Subscriber's responsibility, and (ii) Subscriber shall deny the use of native export functionality via email for said exported reports unless it assumes the responsibility of either (a) ensuring that no PHI is contained in such exports, or (b) that email services used for such transfers can accommodate encryption via the minimum encryption protocol allowed by the then-current PCI standards.
The following minimum Security Configurations for usage of Zendesk mobile applications (or access made by mobile devices such as smartphones or tablets) must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Usage shall include device level encryption
- Biometric or PIN access set to the highest device setting allowed shall be leveraged
- Notifications allowing ticket comments to be surfaced onto the lock screens of such devices shall be disabled
- Screen inactivity locks shall be enabled and configured to lock at not more than 15 minutes of inactivity.
Disclaimer: Due to changes in law or regulation or changes in the Zendesk Service, the security configurations in this document may change from time to time. This document contains Zendesk’s recommendations for the minimum effective security configurations for the protection of PHI within the Zendesk products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor constitutes legal advice. Each Zendesk subscriber should seek its own legal counsel with regard to its HIPAA compliance requirements and should make the additional changes to its security configurations in accordance with each subscriber’s own independent analysis, so long as such changes do not counteract or degrade the security of the configurations outlined in this document.