HIPAA and HDS Enabled Accounts (collectively "Healthcare Enabled Accounts"):
All capitalized terms used in this document shall have the meanings given to them in Zendesk's Business Associate Agreement ("BAA") or HDS Terms Exhibit to Zendesk's Master Subscription Agreement ("HDS Exhibit"), as applicable to the type of account (collectively, “Healthcare Agreement”).
For the purposes of HIPAA Enabled Accounts, “PHI” means “Protected Health Information,” and for the purposes of HDS Enabled Accounts, “PHI” means “Personal Health Information.”
Zendesk and Subscriber have entered into a Healthcare Agreement which recommends Subscriber to assess and implement, as appropriate for their use case, the following configurations, or alternatives assessed by Subscriber to otherwise address their compliance requirements under applicable law, for any and all Healthcare Enabled Account(s) before introducing any PHI into the Service(s).
If Subscriber chooses, at its sole discretion, to forego implementing any of the recommended configurations listed below, Subscriber shall assume sole responsibility for any unauthorized access to, or improper use of disclosure of, Subscriber’s Service Data, including any PHI, that results from any such deviation(s) from the recommended configurations by Subscriber.
Subscriber must have purchased Service plans at the appropriate level and have the required associated add-ons (please consult your Sales representative where unsure).
If Subscriber has a HDS Enabled Account, Subscriber must click the “Follow” button on the Zendesk Sub-processor Policy to receive notifications of any changes to the sub-processors used to provide the Service(s).
The following minimum Security Configurations for Zendesk Services should be put in place and are acknowledged on the Healthcare Agreement for any Healthcare Enabled Account(s)
I. Zendesk Support:
-
Secure Agent authentication through one of the two following methods:
- Employing native Zendesk Support with password settings: (i) set to “Recommended”; or (ii) customized by Subscriber in a manner that establishes requirements not less secure than those established under the “Recommended” setting. Additionally, under the option in this subsection Subscriber must also enable and enforce Two Factor Authentication ("2FA") natively within the Service; and, administrative controls that permit administrators to set passwords for End-Users must be disabled; or
- Utilizing an external Single Sign On (”SSO") solution with established requirements not less secure than those established under the Zendesk "Recommended" password setting and enabling and enforcing 2-factor authentication within the selected solution for all Agents’ access. Administrative controls permitting Administrators to set passwords for End-Users must be disabled.
- All authentication choices utilizing SSO as the authentication method should disable password access.
- Secure Socket Layer ("SSL") encryption on Healthcare Enabled Account(s) must remain enabled at all times. Healthcare Enabled Accounts which utilize a domain other than zendesk.com must establish and maintain hosted SSL.
- Where possible to do so, agent access should be restricted to specific IP addresses under the control of Subscriber unless Subscriber enables multi-factor authentication for agents as described above in requirements 1.a or 1.b (either natively within the Service, or within the Subscriber’s environment as coupled with Enterprise SSO). For the avoidance of doubt, “Agent access” shall denote the access granted to a human agent accessing Service Data via the User Interface ("UI").
-
To the extent Subscriber’s Healthcare Enabled Account enables calls to Zendesk Application Programming Interface(s) ("API's"), Subscriber shall assume all responsibility for understanding the security implications of all Subscriber or third party entities allowed to create, access, modify, or delete Service Data and PHI via such access and/or integrations. For access to said API’s Zendesk offers various methods as described here and Subscriber shall implement the following security best practices based on the API model used:
- OAuth 2.0 approach. This model provides the most granular security capabilities, but requires that entitlements be accepted by an End-User. Where possible, the Subscriber should utilize the OAuth 2.0 approach and authentication scheme. Subscriber should give each OAuth client a descriptive and unique Client Name and Unique Identifier designating function. Permissions granted for each OAuth token should allow for the least privilege needed to accomplish the required task(s).
- REST API token approach. This model is the broadest, and allows an API token to utilize the full functionality of the API model. By its nature, it provides the widest access and capabilities and should be used with caution. When using this approach, Subscriber should (i) use a unique token for each service and give the token a descriptive name designating function; (ii) not share API tokens with any third-party unless reasonably required and pursuant to transmission methods which are encrypted from end-to-end; (iii) acknowledge that if API token is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber should rotate the associated token immediately; and (iv) at a minimum, rotate the token frequently in accordance with Subscriber’s organization policies.
- When possible, Subscriber should disable password access to the API, as this approach sends the user credentials with every request which exposes them broadly, making them more easily intercepted by malicious parties.
- Subscriber should enable ‘require authentication for download’ in order to require authentication to access attachments. Failure to do so shall mean that any unrestricted attachment may be accessed by anyone with access to the correct URL for said attachment. In such cases, Subscriber shall assume all responsibility for the content of, and access to such attachment data.
- Subscriber should systematically enforce, on all Agents, Admins, and Owners accessed endpoints, a password-locked screensaver or startup screen set to engage at a maximum of fifteen (15) minutes of system inactivity.
- Subscriber should not alter viewing permissions which allow a user to see updates for an entire instance/brand/organization or alter the default setting allowing access beyond the user's own tickets or group (unless Subscriber assumes all responsibility for ensuring such users are approved by Subscriber to access all subsequent data). Subscriber acknowledges that End-User organization permissions can be set in the user profile and in the organization itself and if the settings conflict, the more permissive setting overrides the less permissive setting.
- Subscriber acknowledges that Zendesk is not responsible for securing email transmissions from End-Users, and related Service Data, prior to being received into Subscriber’s Zendesk Support instance. This includes any PHI that may be passed through email via replies to Zendesk Support tickets, including but not limited to, ticket comments or attachments.
- Subscriber acknowledges that Zendesk Support sends an email to an End-User under various circumstances, e.g. when a Subscriber’s Agent responds to a Zendesk Support ticket via the email channel or initiated by an automation or trigger. By default, this email contains the most recent ticket correspondence or other information configured to be included in an automated notification, which potentially could include PHI. To further protect Subscriber, their Zendesk Support instance should be configured to only alert the End-User that an Agent has responded, and require the End-User to authenticate into Zendesk Support to see the contents of the message.
-
Subscriber acknowledges that any text message functionality leveraged at its sole discretion across any Zendesk Service is underpinned by SMS and/or related protocols, which may involve the unencrypted transmission of messages being sent into, or out of the Service(s). As such, text message functionality should either:
- not be used in a Healthcare Enabled Account*, or
- if used, the Subscriber assumes all responsibility for the usage of such functionality
- Subscriber acknowledges that use of the Service's legacy Customer Satisfaction Surveys ("legacy CSAT") functionality sends Service Data (which may contain PHI) associated with the Support ticket via email in order to obtain the user's rating, the encryption status of which is not controlled by Zendesk. As such, the legacy CSAT functionality should either:
- not be used in a Healthcare Enabled Account*, or
- if used, the Subscriber assumes all responsibility for the usage of such functionality
-
Subscriber acknowledges that use of the Service's Customer Satisfaction Surveys ("CSAT") functionality for the ticketing channel, if not configured accordingly, sends Service Data (which may contain PHI) associated with the Support ticket via email in order to obtain the user's rating, the encryption status of which is not controlled by Zendesk. Additionally, anyone with the specific CSAT URL has access to the answers given for a specific ticket. As such, when using CSAT functionality for the ticketing channel Subscriber should
- Configure the CSAT automation email body to not include potential PHI and use the {{satisfaction.survey_url}} placeholder exclusively
- Not use the open-ended questions functionality
* For the avoidance of doubt, the data caveats related to PHI in section 10 regarding SMS do not apply to in-product 2FA usage (as described in section 1.a) as such functionality merely sends out a numerical string for identity verification.
II. Zendesk Guide and Gather:
- Subscriber acknowledges that the Guide and Gather Services are public by nature (where not leveraging restricted articles or using a closed or restricted instance) and therefore Subscriber should ensure that any articles in Zendesk Guide or Gather Service do not include PHI, either through the text of the article or as an attachment to, or image within the article.
- Subscriber should either disable the ability for End-Users to add comments in Zendesk Guide, or should moderate and assume responsibility for removing PHI from all comments (as denoted in section 3 below).
- Where Zendesk Guide Service is Guide Professional or Enterprise, Subscribers should, when possible, disable the ability for end users to create new posts by turning off the Gather functionality with Zendesk Guide, or when turning off Gather features cannot be pursued due to the Subscriber’s intended use case, Subscribers should enable content moderation in Zendesk Guide Service and set to "Moderate all content". No submissions containing PHI should be approved.
- Subscriber use of non-employee “Community Moderators” within the Gather Service should not be allowed unless Subscriber assumes responsibility for such Users' potential access to data, including possible PHI (where applicable).
- Subscriber acknowledges that “@mentions” of Gather community members are possible where allowing for end users to have public profiles and should this functionality be deemed a risk in their use case, public profiles should be turned off or @mentions should be disabled.
III. Zendesk Messaging:
- Subscriber should not enable social media messaging channel integrations unless it assumes full responsibility for either (i) ensuring no PHI is present in social media messages or (ii) concludes its own BAA with integrated messaging platforms.
- Subscriber should disable the ability for End-Users to attach files to messaging conversations, and shall take full responsibility for either (i) enabling secure attachments or (ii) ensuring that Agents do not attach files containing ePHI to messaging conversations. Failure to do so shall mean that any unrestricted attachment may be accessed by anyone with access to the correct URL for said attachment. In such cases, Subscriber shall assume all responsibility for the content of, and access to such URLs and/or attachment data.
- Subscriber shall take all responsibility for ensuring all Agents and light Agents are allowed to view all incoming messages from all End-Users.
- If Subscriber or its Agents access or develop integrations (e.g. as part of a flow created for AI Agents) for APIs and webhooks or customize the messaging experience, Subscriber shall take full responsibility for understanding the privacy and security implications of all custom workflows and for all Subscriber or third party entities (including chatbot providers) allowed to create, access, modify, or delete Service Data and ePHI via such access and/or integrations.
- If Subscriber wishes to remove an Agent’s permission to participate in a messaging conversation while the messaging conversation is currently active, Subscriber shall take all responsibility for forcing termination of said Agent’s access to Zendesk.
- By default, web widget conversations with End-Users are persistent and will be viewable by the End-User when they return to the web chat from the same device. Subscriber shall either disable this feature or take all responsibility for ensuring End-Users are not sharing devices.
-
If Subscriber wishes to implement authentication for End-Users, Subscriber shall take all responsibility for implementing this in a secure manner according to best practices and industry standards.
- When using this approach, Subscriber should (i) use a unique JWT signing key for each authentication channel and give the token a descriptive name designating function; (ii) not share JWT signing keys with any third-party unless reasonably required and pursuant to transmission methods which are encrypted from end-to-end; (iii) acknowledge that if JWT signing key is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber should rotate the associated JWT signing key immediately; and (iv) at a minimum, rotate the JWT signing key frequently in accordance with Subscriber’s organization policies.
- Subscriber should use the expiration JWT attribute and set its value to no more than 15 minutes.
- Subscriber acknowledges that interactions between End-Users and AI Agents which are not handed to a human Agent and transferred into a ticket are still stored in the system and it is the responsibility of Subscriber to delete those in accordance with their obligations (e.g. by implementing a webhook that alerts Subscriber when those conversations are stored and (automatically) triggers deletion via the Sunshine Conversations API).
- Subscriber acknowledges that conversations between End-Users and AI Agents that have been transformed into a ticket cannot currently be redacted. Deletion is possible by deleting the ticket.
- Subscriber acknowledges that End-User attachments on messaging channels are currently not scanned for malware in Zendesk. Subscriber shall take full responsibility of having procedures and policies in place to mitigate the risk for Subscriber’s assets.
- Subscriber acknowledges that use of “Side Conversation” functionality may entail "child ticket" and/or "side conversation" messages being created within or sent from Subscriber’s Support instance to recipients via ticket, email, Slack, or integrations (at configuring Agent’s discretion). If Subscriber elects to use this functionality in a Healthcare Enabled Account, Subscriber assumes any and all responsibility for either (i) ensuring that no PHI is present in such messages, or (ii) if PHI could be present in messages, Subscriber is solely responsible for any liability, cost, damage or harm relating to the unauthorized acquisition, access, use, or disclosure of PHI resulting from exchange of messages via the “Side Conversation” functionality.
IV. Zendesk Sunshine Conversations:
- Subscriber should not enable third party channel integrations unless it assumes full responsibility for ensuring either (i) no PHI is present in third party channel messages or (ii) concludes its own BAA with integrated messaging platforms.
-
Subscriber shall assume all responsibility for understanding the security implications of all Subscriber or third party entities allowed to create, access, modify, or delete Service Data and PHI via the Sunshine Conversations Application Programming Interface(s) ("API's"). For access to said API’s, Subscriber shall implement the following security best practices based on the API model used:
- OAuth 2.0 approach. This model provides the most granular security capabilities, but requires that entitlements be accepted by an End-User. Where possible, the Subscriber should utilize the OAuth 2.0 approach and authentication scheme. Subscriber should give each OAuth client a descriptive and unique Client Name and Unique Identifier designating function.
- REST API token approach. This model is the broadest, and allows an API token to utilize the full functionality of the API model. By its nature, it provides the widest access and capabilities and should be used with caution. When using this approach, Subscriber should (i) use a unique token for each service and give the token a descriptive name designating function; (ii) not share API tokens with any third-party unless reasonably required and pursuant to transmission methods which are encrypted from end-to-end; (iii) acknowledge that if API token is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber should rotate the associated token immediately; and (iv) rotate the token frequently in accordance with Subscriber’s organization policy.
- If Subscriber or its Agents access or develop integrations for APIs and webhooks or customize the Sunshine Conversations experience, Subscriber shall take full responsibility for understanding the privacy and security implications of all custom workflows and for all Subscriber or third party entities (including chatbot providers) allowed to create, access, modify, or delete Service Data and PHI via such access and/or integrations.
- Subscriber acknowledges that the IP restrictions configured for Zendesk Support do not extend to the Sunshine Conversations API. Subscribers shall take full responsibility for restricting access to Sunshine Conversations API and API tokens as described in 2.b. and in accordance with Subscriber’s policies.
- Subscriber should disable the ability for End-Users to attach files to Sunshine Conversations conversations, and shall take full responsibility for either enabling secure attachments or ensuring that Agents do not attach files containing PHI to messaging conversations. Failure to do so shall mean that any unrestricted attachment may be accessed by anyone with access to the correct URL for said attachment. In such cases, Subscriber shall assume all responsibility for the content of, and access to such attachment data.
-
If Subscriber wishes to implement Authentication for End-Users, Subscriber shall take all responsibility for implementing this in a robust way according to security best practices and industry standards.
- When using this approach, Subscriber should (i) use a unique JWT signing key for each authentication channel and give the token a descriptive name designating function; (ii) not share JWT signing keys with any third-party unless reasonably required and pursuant to transmission methods which are encrypted from end-to-end; (iii) acknowledge that if JWT signing key is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber should rotate the associated JWT signing key immediately; and (iv) at a minimum, rotate the JWT signing key frequently in accordance with Subscriber’s organization policies.
- Subscriber should use the expiration JWT attribute and set its value to no more than 15 minutes.
- Subscriber acknowledges that interactions between End-Users and AI Agents which are not handed to a human Agent and transferred into a ticket are still stored in the system and it is the responsibility of Subscriber to delete those in accordance with their obligations e.g. by implementing a webhook that alerts Subscriber when those conversations are stored and (automatically) triggers deletion via the Sunshine Conversations API
- Subscriber acknowledges that conversations between End-Users and AI Agents that have transformed into a ticket can currently not be redacted. Deletion is possible by deleting the ticket.
- Subscriber acknowledges that messages deleted via the Sunshine Conversations API are only deleted for End-Users but not deleted on the Zendesk Agent Workspace. This can be achieved with the deletion of the ticket itself or use of the Redaction functionality (limitations see 7.).
- Subscriber acknowledges that all attachments on Sunshine Conversation channels are currently not scanned for malware in Zendesk. Subscriber shall take full responsibility of having procedures and policies in place to mitigate the risk for Subscriber’s employees.
V. Zendesk Chat:
- Subscriber should limit Agents’ access to the Zendesk Chat Service by coupling with and authenticating via the Zendesk Support Service.
- Subscriber should not send Chat transcripts via email, by (a) disabling email piping, (b) disabling the email chat transcript option in the Classic Web Widget, and (c) not sharing exports via email from the Chat dashboard
- Subscriber assumes full responsibility for ensuring (i) no PHI is present in Chats, and/or (ii) all Agents are allowed by Subscriber to view such data.
VI. Zendesk Explore Service:
Subscriber acknowledges that PHI may be surfaced in the Explore product via usernames, ticket titles, field and form choices, and any content found in free form text fields.
- For any in-scope Service instance(s) containing PHI, Subscriber should (i) only grant access to the Explore interface to agents who can access all tickets/calls/chats which may contain PHI in the parent Service instance(s), and (ii) should grant such access taking into account the least amount of privileges necessary for the use of Explore in their environment. For more information on configuring access levels in Explore, please see here.
- Where leveraging "export" functionality, (i) Subscriber acknowledges that PHI may be transferred to device allowed by Subscriber to access agent's interface and all attendant controls on such device(s) are the Subscriber's responsibility, and (ii) Subscriber should deny the use of native export functionality via email for said exported reports unless it assumes the responsibility of either (a) ensuring that no PHI is contained in such exports, or (b) that email services used for such transfers can accommodate encryption via the minimum encryption protocol allowed by the then-current PCI standards.
* Special Considerations for use of Explore Enterprise:
Subscriber acknowledges that use of the Explore Enterprise Service may entail increased data sharing and export functionalities. Subscriber shall:
- either (i) ensure that no PHI exists in such dashboards, and/or (ii) share dashboards only with Agents, Groups, Lists, or End Users who are approved to view and receive such data.
- leverage IP restrictions
- where sharing dashboards via Uniform Resource Locator (URL), Subscriber acknowledges that rather than sharing with individual or group user accounts, the data shall be shared by an access link. Subscriber should therefore (i) enable password protection, (ii) ensure the chosen passwords’ complexity, rotation, storage, and distribution to receiving party complies with Subscriber’s password policies for the protection of data contained in such dashboards, and (iii) is rotated without undue delay upon suspicion or confirmation of exposure
VII. Notice About In-Product Functionality for Deployed Associated Services (“Add-Ons”):
- Collaboration Deployed Associated Service: “Side Conversations.” Subscriber acknowledges that use of “Side Conversation” functionality may entail "child ticket" and/or "side conversation" messages being created within or sent from Subscriber’s Support instance to recipients via ticket, email, Slack, or integrations (at configuring Agent’s discretion). If Subscriber elects to use this functionality in a Healthcare Enabled Account, Subscriber assumes any and all responsibility for either (i) ensuring that no PHI is present in such messages, or (ii) if PHI could be present in messages, Subscriber is solely responsible for any liability, cost, damage or harm relating to the unauthorized acquisition, access, use, or disclosure of PHI resulting from exchange of messages via the “Side Conversation” functionality.
VIII. Zendesk Mobile Applications (or access made by mobile devices such as smartphones or tablets):
- Usage shall include device level encryption
- Biometric or PIN access set to the highest device setting allowed should be leveraged
- Notifications allowing ticket comments to be surfaced onto the lock screens of such devices should be disabled
- Screen inactivity locks should be enabled and configured to lock at not more than 15 minutes of inactivity.
- Subscriber acknowledges that the redaction functionality is not available in the Support Mobile Application and Agents need to login via Browser should they wish to use the redaction functionality.
- If Subscriber chooses to authenticate End-Users for Zendesk messaging, Subscriber acknowledges that the authentication status of an End-User is not displayed in the Support Mobile Application.
IX. Zendesk Insights: support for this Service was deprecated as of February 5th, 2021.
X. Notice About Zendesk AI Functionality (“Zendesk AI”, “Advanced AI”, “Generative AI”, et al):
- Subscriber acknowledges that the Zendesk AI features are intended to increase productivity of the Zendesk Service(s) and should not be used in a manner which could be construed as (i) providing medical or healthcare advice, (ii) providing a diagnosis of condition or symptoms, (iii) prescribing a treatment, or (iv) in any manner preventing a User from seeking a healthcare professional’s advice, diagnosis, or treatment, (v) or otherwise providing a User with information or making decisions scoping them into or out of any healthcare plan, treatment program, testing service, or any other healthcare service which may impact their search for, or receipt of health services (unless Subscriber takes full responsibility for this decision based on their unique use case and interactions with their Users, as well as the potential implications of using AI in such a manner).
- Subscriber acknowledges that if using any generative AI features, Those generated AI outputs are computer-generated and not human-generated, and may produce inaccurate outputs. Zendesk does not guarantee the accuracy of these outputs.
- Subscriber acknowledges that if an AI Agents conversation bot greeting is used to provide a required disclaimer message to Subscriber’s End-Users, the functionality “Generate variations” shall not be activated to ensure the content integrity of the message.
- Subscriber acknowledges that turning on Enhanced Writing functionality in the Admin Center will enable this functionality for all agents in their instance regardless of their roles and permissions.
XI. Zendesk QA
- Subscriber acknowledges that the Zendesk QA AI features are intended to increase productivity of the Zendesk Service(s) and should not be used in a manner which could be construed as (i) providing medical or healthcare advice, (ii) providing a diagnosis of condition or symptoms, (iii) prescribing a treatment, or (iv) in any manner preventing a User from seeking a healthcare professional’s advice, diagnosis, or treatment, (v) or otherwise providing a User with information or making decisions scoping them into or out of any healthcare plan, treatment program, testing service, or any other healthcare service which may impact their search for, or receipt of health services (unless Subscriber takes full responsibility for this decision based on their unique use case and interactions with their Users, as well as the potential implications of using AI in such a manner).
- Subscriber acknowledges that deletion or redaction in their Zendesk instance is not immediately synchronized with Zendesk QA but instead will be carried over in the following 3-6 hours.
- When using the Surveys functionality Subscriber should (i) disable the Zendesk QA AI assist functionality (or ensure all Agents performing QA work are cleared to see any potential data within such transaction, as well as ensuring the tenets of point 1 are in place) (ii) make sure to configure the survey in a way as not to reveal PHI in the survey questions or descriptions (or assume the responsibility of such data in emails being sent via opportunistic StartTLS)
- When using the “Zendesk Chat” custom integration, Subscriber should consider setting a data retention period aligned with Subscriber’s policies to make sure data is not retained for an unlimited time.
- Subscriber acknowledges that when using the Sunshine Conversations API to delete parts of a Zendesk Messaging conversation, this change is not reflected in Zendesk QA. Instead, the information should be removed from the original ticket via redaction or the whole conversation should be removed.
- Subscriber acknowledges that Zendesk QA does not support Zendesk’s “private attachments” feature at this time. This means attachments may be accessed by anyone with access to the correct URL for said attachment and should not be used with sensitive data, including PHI. Subscriber shall assume all responsibility for the content of, and access to such URLs and/or attachment data.
- Subscriber acknowledges that upon initial provisions of Zendesk QA advanced connection configuration is only possible after first sync.
XII. Zendesk Workforce Management "WFM":
- Subscriber acknowledges that
- The default WFM Admin role has access to all Agent activity and settings applicable to the WFM Service (including tags mentioned in point 2 below).
- The default Agent role has access to the Agent’s activity unless configured by Admins to have different access via creation of custom roles as described here
- Subscriber acknowledges that tags applied by Agents, Admins, or predefined system logic within tickets in Support will be visible within the WFM product to any User allowed to see such ticket activity. Should tags be deemed sensitive by the Subscriber, then access should be configured appropriately.
Disclaimer: Due to changes in law or regulation or changes in the Zendesk Service, the security configurations in this document may change from time to time. This document contains Zendesk’s recommendations for the minimum effective security configurations for the protection of PHI within the Zendesk products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor constitutes legal advice. Each Zendesk subscriber should seek its own legal counsel with regard to its HIPAA or HDS compliance requirements and should make the additional changes to its security configurations in accordance with each subscriber’s own independent analysis, so long as such changes do not counteract or degrade the security of the configurations outlined in this document.
Change Log:
January 24th, 2025
- Consolidated HIPAA and HDS configurations
December 27th, 2024
- Added section XII to incorporate Zendesk Workforce Management ("WFM") into scope
December 16th, 2024
- Added section XI to incorporate Zendesk QA into scope
- Changed various instances of "Answer Bot" to "AI Agents" to denote naming convention changes and broader scope.
October 10, 2024
- Added Section I, Support, number 12 (CSAT) and edited Section I, Support, number 11 (legacy CSAT) to accommodate for new functionality.
March 7, 2024
- Added Section X, Notice About Zendesk AI Functionality
-
Section I, Support, number 7 (viewing permissions):
- Clarified that "viewing permissions" pertain to an entire "instance/brand/organization" rather than just "org."
- Added a new provision for End-User specific organization behaviour.
-
Section I, Support, number 9 (email):
- Expanded the circumstances under which Zendesk Support sends an email to an End-User to include responses via the email channel or those initiated by an automation or trigger, rather than just an agent responding to a ticket.
- Specified that by default, automated notifications may contain the most recent ticket correspondence or other configured information, which could potentially include PHI.
October 25, 2023
- Introduction: Clarified introduction language for HIPAA enabled accounts
- Section II, Guide and Gather, number 1 (Help center restrictions): replaced IP restrictions with restricted articles for clarification
April 13th, 2023
-
Section I, Support, number 4 (APIs) :
- Added link to authentication methods for clarity
- b) Removed exact time frame recommendations for rotation to align with industry best practices and removed reference to REST API Terms of Services (redundancy)
- added c) to warn about the use of Basic Authentication for the API
-
Section II, Guide:
- Number 1 (Help center restrictions): added reference to closed or restricted help centers to align with product functionality
- Number 5 (@mentions): Added option to disable @mentions to align with product functionality
-
Section III, messaging:
- Number 1 and 2 (third party channels and private attachments): added section identifiers (i) and (ii) for clarity
- Number 2 (private attachments) : added “URLs and/or” for clarification
- Number 7-10 (End-User authentication, Answerbot conversation deletion, redaction, malware scanning): full sections added for transparency
- Section IV, Sunshine Conversations: whole section added due to Sunshine Conversations in the Zendesk Suite being made part of the BAA
- Section V, Chat, number 3 (Agent Workspace): small phrasing corrections
- Section VIII, mobile applications, number 5-7 (malware scanning, redaction, End-User authentication): whole sections added for transparency
February 24th, 2023
- Section I. Support, number 3: removed separate distinction between Support and Chat IP restrictions as the UI is now unified.
- Section I. Support, number 5: added clarification on failure to meet requirement
- Section I. Support, number 7: “Subscriber must not” changed to “Subscriber should not”.
- Section IV. Chat, number 2: clarifies that all export functionality of data from Chat using email is prohibited, and not just scoped to transcripts and piping.
- Section III. messaging: entire section added to account for Zendesk messaging functionality addition to the scope of Zendesk’s Business Associate Agreement.
July 9th, 2021
- Adds point 3. under Chat section for responsibilities around Agent Workspace usage.
January 21st, 2021
- Addition of number 1.11 disallows CSAT unless Subscriber assumes responsibility of data sent via email as part of the survey.
- Caveat in number 1.7 to make allowances for Subscribers altering viewing permissions due to users already having approval to access such data on their ends.
- Updated entire document to match company style of embedded links within text as opposed to inline URLs (no impact to configuration content).
August 2020
- Addition of Explore Enterprise covering increased dashboard sharing capabilities
- Removal of the ban on Chat attachments (Support auth requirements now cover)
- Disambiguation that the ban on ePHI in custom fields applied specifically to Insights usage and not globally
- Addition of a new section coving Add-Ons to Deployed Services, with "Side Conversations" being the first addition
- Various grammar / formatting edits (inconsequential to content)
July 13th, 2020:
- Disambiguation made regarding usage of SMS via the Service as opposed to native use of SMS for in-product 2FA. * For the avoidance of doubt, the data caveats related to ePHI in section 10 regarding SMS do not apply to in-product 2FA usage (as described in section 1.a) as such functionality merely sends out a numerical string for identity verification."
December 13th, 2019
- allows for Agent IP restrictions to be foregone where use case does not allow for such restrictions so long as MFA on Agent access is enforced.
December 17th, 2019
- allows for end user comments in Guide so long as Agents moderate such comments and remove all PHI.
November 6th, 2019
- Article updated to reflect the change that subscribers may elect at their sole discretion to forgo or substitute any particular configuration so long as they assume the responsibility for such decision.
"Subscriber’s failure to implement and comply with any particular configuration listed below, or any series of required configurations listed below, shall be at
Subscriber’s own risk and at Subscriber’s sole discretion; and such failure shall relieve Zendesk and its employees, agents, and affiliates of any responsibility with respect to any unauthorized access to, or improper use or disclosure of, Subscriber’s Service Data, including any electronic Protected Health Information, that results from such failure by Subscriber. "
-
Other changes include
- 1. the ability to use SMS so long as subscriber assumes all responsibility for ensuring no PHI is present in such transmissions.
- 2. The ability to use attachments in Chat so long as subscriber assumes all responsibility for ensuring no PHI is present in such attachments.
March 6th, 2019
- updated to include settings for Zendesk Explore
January 17th, 2019
- updated to disallow attachments in Chat.
7 comments
Craig Lima
January 21st, 2021
Addition of number 1.11 disallows CSAT unless Subscriber assumes responsibility of data sent via email as part of the survey.
Caveat in number 1.7 to make allowances for Subscribers altering viewing permissions due to users already having approval to access such data on their ends.
Updated entire document to match company stle of embedded links within text as opposed to inline URLs (no impact to configuration content).
0
Craig Lima
July 9th 2021 edit:
1. Adds point 3. under Chat section for responsibilities around Agent Workspace usage.
0
Maximiliane Zirm
February 24th, 2023
0
Maximiliane Zirm
April 13th, 2023
0
Maximiliane Zirm
October 25, 2023
0
Craig Lima
Dec 16th 2024
1. Added section XI to incorporate Zendesk QA into scope
2. Changed various instances of "Answer Bot" to "AI Agents" to denote naming convention changes and broader scope.
3. Changed various instances of “must” and “shall” to “should” to denote best practices philosophy of configs, as well as to reinforce the Subscriber responsibility for interpretation of HIPAA compliance vis-a-vis Admin / Owner configurations and use case implementation https://support.zendesk.com/hc/en-us/articles/4408833510938-The-Zendesk-Shared-Responsibility-Model
0
Craig Lima
Dec 27th, 2024, added section XII to incorporate Workforce Management “WFM” into HIPAA BAA scope
0