See Our Apps

Book A Call

See Our Apps

Book A Call

How to Make Zendesk HIPAA Compliant

Learn how to configure Zendesk for HIPAA compliance with essential steps for protecting sensitive health information.

Healthcare Compliance

Apr 2, 2025

Want to make Zendesk HIPAA compliant? Here's how:

Healthcare organizations using Zendesk must take extra steps to secure Protected Health Information (PHI). By default, Zendesk isn't HIPAA-compliant, but with the right plan, configurations, and security measures, you can ensure compliance. Here's a quick overview:

  • Choose the Right Plan: Upgrade to a HIPAA-compatible Zendesk Professional or Enterprise plan.

  • Sign a Business Associate Agreement (BAA): Formalize compliance with Zendesk.

  • Enable Security Settings: Use two-factor authentication (2FA), SSL encryption, and role-based access controls.

  • Protect Mobile Devices: Enforce encryption, PIN access, and auto-lock features.

  • Train Your Team: Educate staff on handling PHI securely and conduct regular audits.

Key Compliance Steps:

  1. Subscribe to a HIPAA-enabled plan.

  2. Configure authentication, data protection, and access controls.

  3. Monitor third-party integrations and audit logs.

  4. Provide ongoing HIPAA training and conduct regular checks.

Setting Up HIPAA Compliance

Choose the Right HIPAA-Compatible Plan

Start by subscribing to a Zendesk Enterprise plan that meets HIPAA requirements. These plans include advanced security features, IP restrictions, and strong authentication options. Once you've selected the appropriate plan, move forward with the Business Associate Agreement (BAA) process to formalize compliance.

Complete the BAA Process

  1. Confirm your HIPAA requirements, ensuring your plan and any add-ons meet these needs.

  2. Contact your Zendesk representative to request the BAA.

  3. Carefully review the Healthcare Agreement, which outlines security settings, responsibilities for protecting PHI, data management, and breach response protocols.

Adjust Security Settings

Make sure to configure these key security settings:

Authentication and Access

  • Enable two-factor authentication (2FA), enforce strong password policies, and apply IP or multi-factor restrictions.

  • Set devices to auto-lock after 15 minutes of inactivity.

  • Prevent end-users from managing administrative passwords.

Data Protection

  • Use SSL encryption for secure data transmission.

  • Require authentication for downloading attachments.

  • Replace triggers with links to your help center, and guide your users to log in there so they could read sensitive healthcare information under the portal’s security.

  • Turn off text messaging in ticketing systems.

Mobile Security

  • Activate device encryption and require biometric or PIN access.

  • Disable lock screen notifications to protect sensitive information.

  • Set mobile devices to lock after 15 minutes of inactivity.

Train Your Staff on HIPAA

Provide comprehensive training for your team on handling PHI, following security protocols, responding to incidents, and maintaining proper documentation. Keep training records and ensure staff receive annual updates. These steps help maintain compliance and safeguard sensitive information.

HIPAA Security Features

Once you’ve set up HIPAA settings, Zendesk offers built-in tools to help safeguard PHI even further.

Data Protection Tools

Zendesk uses AES-256 encryption to secure data at rest and TLS 1.2 for data in transit. This encryption approach works alongside the platform's other security measures, providing strong protection for PHI.

User Access Controls

With role-based access control (RBAC), automatic session timeouts, and Single Sign-On (SSO) options, Zendesk ensures users only access the PHI necessary for their roles. These features also help maintain secure authentication practices.

Activity Tracking

Audit logs in Zendesk track important user actions, like login attempts or changes to security settings. This creates a clear record of PHI access for verification purposes.

These tools work together to provide ongoing protection and help maintain compliance.

Maintaining Compliance

Staying HIPAA-compliant in Zendesk requires constant monitoring and regular audits to ensure security measures remain effective.

Regular Security Checks

Perform monthly audits to assess and maintain:

  • API tokens and their rotation schedules

  • User access permissions and role assignments

  • OAuth client configurations

  • Third-party integration settings

  • Audit logs for any suspicious or unauthorized access attempts

These audits support secure integration management and help identify potential vulnerabilities.

App Integration Rules

When setting up integrations, follow these guidelines:

  • Enforce OAuth 2.0 instead of password-based API access

  • Assign unique identifiers to each OAuth client

  • Apply the least privilege principle by granting only necessary permissions

  • Disable password-based API access to reduce credential exposure risks

For Sunshine Conversations integrations, assess whether messages include PHI. If they do, take one of these steps:

1. Ensure PHI is not included in messages sent through third-party channels.

2. Establish a Business Associate Agreement (BAA) with the messaging platforms involved.

Security Response Steps

Beyond regular checks and integration controls, a solid incident response plan is essential. Be prepared to act quickly in case of a breach with these steps:

  • Take immediate action if unauthorized access is suspected

  • Rotate compromised API tokens or JWT signing keys as needed

  • Document, contain, and investigate any breaches thoroughly

"If an API token is shared with a third-party, and Subscriber is made aware of a third-party data breach, Subscriber should rotate the associated token immediately"

For platforms like Sunshine Conversations, where PHI might be present, implement additional measures:

  • Use webhooks to monitor AI Agent conversations

  • Set up automatic deletion triggers through the API

  • Handle file attachments securely or disable them entirely

  • Regularly check third-party channel integrations for compliance

Maintaining HIPAA compliance demands consistent attention to security settings and swift action when addressing potential risks. By staying proactive, you can ensure your systems remain secure and compliant.

Compliance Responsibilities

It's essential to understand how HIPAA responsibilities are divided between Zendesk and your organization to ensure the security of protected health information (PHI).

Zendesk Coverage

Zendesk provides a compliance framework that covers its core infrastructure and service delivery but requires customers to configure specific settings. Here's what Zendesk offers:

  • Business Associate Agreement (BAA) for accounts with HIPAA features enabled

  • Security measures at the infrastructure level

  • Built-in product security features

  • Technical tools to safeguard data

  • Routine updates and security patches

However, Zendesk clarifies that it is not accountable for:

  • Emails sent by end-users before they reach your Zendesk instance

  • Breaches caused by failure to follow recommended configurations

  • PHI shared through unsecured social media channels

  • Medical or healthcare advice generated by AI features

"Each Zendesk subscriber should seek its own legal counsel with regard to its HIPAA or HDS compliance requirements and should make the additional changes to its security configurations in accordance with each subscriber's own independent analysis, so long as such changes do not counteract or degrade the security of the configurations outlined in this document."

Next, let's dive into the responsibilities your organization must handle to ensure full HIPAA compliance.

Customer Requirements

While Zendesk secures its infrastructure, your organization plays a critical role in managing and strengthening PHI protections. Key areas of responsibility include:

Security Configuration Management

Responsibility Area

Actions

Authentication

Use secure agent login methods like 2FA or SSO

Access Control

Set up IP restrictions and role-based permissions

Data Protection

Activate SSL encryption and manage attachments securely

Mobile Security

Require device encryption and biometric access

API Management

Implement OAuth 2.0 and rotate access tokens regularly

Operational Requirements

1. Service Configuration

Ensure Zendesk services are set up to handle PHI securely by:

  • Subscribing to HIPAA-compliant service plans

  • Managing third-party integrations carefully

  • Monitoring API access and usage

2. Content Management

Minimize PHI exposure across Zendesk products by:

  • Moderating or disabling end-user comments in Guide

  • Avoiding PHI in public-facing articles

  • Restricting file attachment permissions

  • Overseeing messaging channel integrations

3. Staff Management

Assign roles and train your team to handle PHI securely. This includes:

  • Enforcing secure login practices

  • Providing HIPAA training

  • Limiting access based on roles and permissions

"If Subscriber chooses, at its sole discretion, to forego implementing any of the recommended configurations listed below, Subscriber shall assume sole responsibility for any unauthorized access to, or improper use of disclosure of, Subscriber's Service Data, including any PHI, that results from any such deviation(s) from the recommended configurations by Subscriber."

Zendesk provides a secure foundation, but your organization must take active steps to implement and maintain the necessary measures. Regular monitoring and management are key to maintaining HIPAA compliance within your Zendesk environment.

Summary

Ensuring HIPAA compliance in Zendesk involves a combination of technical configurations, operational practices, and ongoing management efforts. This guide breaks down the key steps to set up and maintain a HIPAA-compliant Zendesk environment.

To meet HIPAA standards in Zendesk, you'll need to focus on several key areas:

Plan Selection and Setup

  • Subscribe to an Enterprise plan designed for HIPAA compliance

  • Complete the Business Associate Agreement (BAA)

  • Apply recommended security settings

  • Enable strong authentication methods

Security Measures

  • Implement SSL, IP restrictions, role-based access controls, secure file handling, and active audit logging

Operational Management

  • Provide HIPAA training for your team

  • Regularly review third-party app integrations

  • Schedule routine security audits

  • Keep detailed records of compliance procedures

Compliance Area

Requirements

Authentication

Enable 2FA/SSO and enforce password policies

Data Protection

Use SSL encryption, secure file storage, and maintain audit logs

Access Control

Set role-based permissions, IP restrictions, and manage sessions

Staff Management

Train staff on HIPAA, document access, and promote security awareness

HIPAA compliance isn't a one-time task - it requires constant monitoring and updates. Both the technical setup and operational processes must be actively managed to protect sensitive health information (PHI) effectively.

Related posts

  • 5 Pitfalls For HIPAA Compliance in Zendesk

  • Zendesk Marketplace Apps Supply Chain Risk

‹ Is Zendesk HIPAA Compliant?

Hidden Security Risks In Zendesk Apps ›

Support Center

Contact Us

About Us

See All Apps

Case Studies

Security

© 2024 Adelante CX. All rights reserved.

Privacy Policy

Terms of Service

Support Center

Contact Us

About Us

See All Apps

Case Studies

Security

© 2024 Adelante CX. All rights reserved.

Privacy Policy

Terms of Service

Support Center

Contact Us

About Us

See All Apps

Case Studies

Security

© 2024 Adelante CX. All rights reserved.

Privacy Policy

Terms of Service