Security Configuration Requirements for HIPAA or HDS Enabled Accounts on Zendesk

Return to top


  • Craig Lima

    January 21st, 2021

    Addition of number 1.11 disallows CSAT unless Subscriber assumes responsibility of data sent via email as part of the survey. 

    Caveat in number 1.7 to make allowances for Subscribers altering viewing permissions due to users already having approval to access such data on their ends.

    Updated entire document to match company stle of embedded links within text as opposed to inline URLs (no impact to configuration content). 

  • Craig Lima

    July 9th 2021 edit:

    1. Adds point 3. under Chat section for responsibilities around Agent Workspace usage.

  • Maximiliane Zirm

    February 24th, 2023

    • Section I. Support, number 3: removed separate distinction between Support and Chat IP restrictions as the UI is now unified.
    • Section I. Support, number 5: added clarification on failure to meet requirement 
    • Section I. Support, number 7: “Subscriber must not” changed to “Subscriber should not”.
    • Section IV. Chat, number 2: clarifies that all export functionality of data from Chat using email is prohibited, and not just scoped to transcripts and piping. 
    • Section III. messaging: entire section added to account for Zendesk messaging functionality addition to the scope of Zendesk’s Business Associate Agreement.
  • Maximiliane Zirm

    April 13th, 2023

    • Section I, Support, number 4 (APIs) : 
      • Added link to authentication methods for clarity 
      • b) Removed exact time frame recommendations for rotation to align with industry best practices and removed reference to REST API Terms of Services (redundancy)
      • added c) to warn about the use of Basic Authentication for the API 
    • Section II, Guide:
      • Number 1 (Help center restrictions): added reference to closed or restricted help centers to align with product functionality
      • Number 5 (@mentions): Added option to disable @mentions to align with product functionality 
    • Section III, messaging: 
      • Number 1 and 2 (third party channels and private attachments): added section identifiers (i) and (ii) for clarity
      • Number 2 (private attachments) : added “URLs and/or” for clarification 
      • Number 7-10 (End-User authentication, Answerbot conversation deletion, redaction, malware scanning): full sections added for transparency
    • Section IV, Sunshine Conversations: whole section added due to Sunshine Conversations in the Zendesk Suite being made part of the BAA 
    • Section V, Chat, number 3 (Agent Workspace): small phrasing corrections
    • Section VIII, mobile applications, number 5-7 (malware scanning, redaction, End-User authentication): whole sections added for transparency
  • Maximiliane Zirm

    October 25, 2023

    • Introduction: Clarified introduction language for HIPAA enabled accounts
    • Section II, Guide and Gather, number 1 (Help center restrictions): replaced IP restrictions with restricted articles for clarification

Article is closed for comments.

Powered by Zendesk