Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if they are able to use Freshdesk in a HIPAA compliant manner. In fact, we've noticed more vendors, customers, and prospects asking about HIPAA compliant services. This is especially true now as we see an accelerated, long overdue adoption of digital transformation in healthcare.
We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector. Today we will determine if Freshdesk offers HIPAA compliant service or not.
Freshdesk is a cloud-based customer engagement solution that aims to streamline customer support and service. Freshdesk was founded in 2010 and is headquartered in San Mateo, CA.
What is a Business Associate?
A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule
Read full article: What does it mean to be a Business Associate?
Business Associate Agreement provisions
If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement (BAA) must be in place. A BAA is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance. At a minimum, a Business Associate Agreement contains 10 provisions.
Read full article: Business Associate Agreement Provisions
Freshdesk and the Business Associate AgreementWe checked the Freshdesk site for mention of their ability to sign a Business Associate Agreement (BAA). We found the following pages:
- HIPAA Configuration Guide
- Hippa Compliant (Freshdesk Community Forums)
On those pages, we can see that:
- Freshdesk is willing to sign a BAA with its customers
- It should be noted however, the Freshdesk HIPAA Configuration Guide states: "Default fields cannot be encrypted to be HIPAA compliant. If the client decides to store PHI data in a non-encrypted field, Freshdesk cannot be held responsible for the same. Any sensitive PHI data needs to be stored as a custom encrypted field."
- Freshdesk apparently only recently aligned itself to be able to sign BAAs with customers (within the past two years)
Does Freshdesk offer HIPAA Compliant Service?The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate. We were able to learn the following about Freshdesk about their ability to be considered a HIPAA compliant solution:
- Freshdesk states they are willing to sign a BAA with their customers
- There are caveats to the BAA however, that Freshdesk customers should carefully pay attention to. For example, not all Freshdesk data fields are within the scope of their BAA
Conclusion: Freshdesk can be used as a HIPAA compliant cloud service. Not all of Freshdesk however, is HIPAA compliant.