All capitalized terms used in this document shall have the meanings given to them in Zendesk's Business Associate Agreement ("BAA").
For subscribers who have signed Zendesk’s BAA, the following Security Configurations for Zendesk Support must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
Secure Agent authentication through one of the two following methods:
- (a) Employing native Zendesk Support with password settings: (i) set to “High” as described at https://support.zendesk.com/hc/en-us/articles/203663736-Setting-the-password-security-level-for-your-Zendesk-Professional-and-Enterprise-; or (ii) customized by Subscriber in a manner that establishes requirements not less secure than those established under the “High” setting. Additionally, under the option in this subsection Subscriber must also enable and enforce 2-factor authentication natively within the Service; and, administrative controls that permit administrators to set passwords for End-Users must be disabled; or
- (b) Utilizing an external “single-sign on” solution with established requirements not less secure than those established under the Zendesk "High" password setting and enabling and enforcing 2-factor authentication within the selected solution for all Agents’ access. Administrative controls that permits administrators to set passwords for End-Users must be disabled.
- (c) All authentication choices utilizing SSO as the authentication method must disable password access as described in this article: https://support.zendesk.com/hc/en-us/articles/203663766#topic_nxw_j4m_h3.
- Secure Socket Layer encryption on HIPAA Enabled Account(s) must be and remain enabled at all times. HIPAA Enabled Accounts which utilize a subdomain other than zendesk.com must establish and maintain hosted SSL as described at: https://support.zendesk.com/hc/en-us/articles/203663726.
- Agent access must be restricted to specific IP addresses under the control of Subscriber as described at https://support.zendesk.com/hc/en-us/articles/203663706 and https://chat.zendesk.com/hc/en-us/articles/212679837.
To the extent Subscriber’s HIPAA Enabled Account enables calls to Zendesk APIs, Subscriber shall implement the following security best practices based on the API model used:
- (a) OAuth 2.0 approach. This model provides the most granular security capabilities, but requires that entitlements be accepted by an End-User. Where possible, the Subscriber will utilize the OAuth 2.0 approach and authentication scheme as described at: https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application. Subscriber will give each OAuth client a descriptive and unique Client Name and Unique Identifier designating function. Permissions granted for each OAuth token should allow for the least privilege needed to accomplish the required task(s).
- (b) REST API token approach. This model is the broadest, and allows an API token to utilize the full functionality of the API model. By its nature, it provides the widest access and capabilities and should be used with caution. When using this approach, Subscriber will (i) use a unique token for each service and give the token a descriptive name designating function; (ii) not share API tokens with any third-party unless reasonably required and pursuant to transmission methods which are encrypted from end-to-end; (iii) acknowledge that if API token is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber will rotate the associated token immediately; and (iv) at a minimum, rotate the token once every one hundred and eighty (180) days. Subscriber shall follow Service’s REST API Terms of Service located here: https://www.zendesk.com/company/customers-partners/application-developer-api-license-agreement/.
- Subscriber must enable ‘require authentication for download’ in order to require authentication to access attachments as described at https://support.zendesk.com/hc/en-us/articles/204265396.
- Subscriber must systematically enforce, on all Agents, Admins, and Owners accessed endpoints, a password-locked screensaver or startup screen set to engage at a maximum of fifteen (15) minutes of system inactivity.
- Subscriber must not alter viewing permissions which allow a user to see updates for an entire org. The default setting allowing access to the user's own tickets alone must not be changed.
- Subscriber acknowledges that Zendesk Support is not responsible for securing email transmissions from End-Users, and related Service Data, prior to being received into Subscriber’s Zendesk Support instance. This includes any PHI that may be passed through email via replies to Zendesk Support tickets, including but not limited to, ticket comments or attachments.
- Subscriber acknowledges that Zendesk Support sends an email out to an End-User when a Subscriber’s Agent responds to a Zendesk Support ticket. By default, this email contains whatever correspondence the Agent has sent back to the End-User, and potentially could include PHI. To further protect Subscriber, their Zendesk Support instance should be configured to only alert the End-User that an Agent has responded, and require the End-User to authenticate into Zendesk Support to see the contents of the message. This custom configuration is covered in the following Zendesk article: https://support.zendesk.com/hc/en-us/articles/216845398.
For subscribers who have signed Zendesk’s BAA, the following Security Configurations for the Zendesk Guide Service must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Subscriber must have purchased and be a current subscriber of Zendesk Support Enterprise, Zendesk Guide Service, and the Advanced Security Deployed Associated Service.
- Subscriber must ensure that any articles in Zendesk Guide Service created by Subscriber’s agents do not include PHI, either through the text of the article or as an attachment to the article.
- Subscriber must disable the ability for End-Users to add comments in Zendesk Guide Service at: https://support.zendesk.com/hc/en-us/articles/115002382627.
- If the Zendesk Guide Service is Guide Professional or Enterprise, Subscribers should, when possible, disable the ability for end users to create new posts by turning off the "Community" functionality with Zendesk Guide as described here: https://support.zendesk.com/hc/en-us/articles/217377008 or, when turning off "Community" features cannot be pursued due to the Subscriber’s intended use case for their help center, Subscribers must enable content moderation in Zendesk Guide Service and set to "Moderate all content" at: https://support.zendesk.com/hc/en-us/articles/203664466. No submissions containing PHI shall be approved.
For subscribers who have signed Zendesk’s BAA, the following Zendesk Insights Configuration must be complied with for any HIPAA Enabled Account(s):
Subscriber is solely responsible for configuring, and will configure, all HIPAA Enabled Account(s) to which this BAA applies so (i) that PHI will not be contained within any custom fields or ticket title established within Zendesk; or (ii) that if Subscriber does establish such a custom field, then Subscriber is solely responsible for contacting Zendesk Support to exclude such custom field from Zendesk Insights reporting.
For subscribers who have signed Zendesk’s BAA, the following Security Configurations for the Zendesk Chat Service must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Subscriber must have purchased and be a current subscriber of: Zendesk Support Enterprise; Zendesk Chat Enterprise; and Advanced Security Deployed Associated Service (“Add-On”).
- Subscriber must limit their Agents’ access to the Zendesk Chat Service systems by going through the Zendesk Support Service.
- Subscriber must disable email piping at: https://chat.zendesk.com/hc/en-us/articles/212679667.
- Subscriber must disallow the use of attachments in Chat
- Subscribers who use the Zendesk Chat Mobile App must require and enforce its Agents, Admins and Owners to have password protection on any mobile devices using the Zendesk Chat Mobile App.
For Subscribers who have signed Zendesk's BAA, the following minimum Security Configurations for usage of Zendesk Explore Service must be put in place and are acknowledged on the BAA for any HIPPA Enabled Account(s):
Subscriber acknowledges that ePHI may be surfaced in the Explore product via usernames, ticket titles, field and form choices, and any content found in free form text fields.
- For any in-scope Service instance(s) containing ePHI, Subscriber shall (i) only grant access to the Explore interface to agents who can access all tickets/calls/chats which may contain ePHI in the parent Service instance(s), and (ii) shall grant such access taking into account the least amount of privileges necessary for the use of Explore in their environment. For more information on configuring access levels in Explore, please see: https://explore.zendesk.com/hc/en-us/articles/360019099014
- Where leveraging the "export" functionality, (i) Subscriber acknowledges that ePHI may be transferred to device allowed by Subscriber to access agent's interface and all attendant controls on such device are the Subscriber's responsibility, and (ii) Subscriber shall deny the use of native export functionality via email for said exported reports unless it assumes the responsibility of ensuring that no ePHI is contained in such exports.
For subscribers who have signed Zendesk’s BAA, the following minimum Security Configurations for usage of Zendesk mobile applications (or access made by mobile devices such as smartphones or tablets) must be put in place and are acknowledged on the BAA for any HIPAA Enabled Account(s):
- Usage must include device level encryption
- Biometric or PIN access set to the highest device setting allowed should be leveraged
- Notifications allowing ticket comments to be surfaced onto the lock screens of such devices should be disabled
Disclaimer: Due to changes in law or regulation or changes in the Zendesk Service, the security configurations in this document may change from time to time. This document contains Zendesk’s recommendations for the minimum effective security configurations for the protection of PHI within the Zendesk products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor constitutes legal advice. Each Zendesk subscriber should seek its own legal counsel with regard to its HIPAA compliance requirements and should make the additional changes to its security configurations as warranted, so long as such changes do not counteract or degrade the security of the configurations outlined in this document.