Paubox blog: HIPAA compliant email made easy

Is Freshdesk a HIPAA compliant cloud service? (Update 2024)

Written by Kapua Iao | June 10, 2020

Freshdesk is a cloud-based customer engagement solution that streamlines customer support and service. Many healthcare organizations use such solutions to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with HIPAA compliant companies.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Freshdesk says it is willing to sign a BAA with its customers and may be HIPAA compliant.

 

What is Freshdesk?

Freshdesk, a product from Freshworks, lets businesses streamline customer support using customer service software. Freshworks is a software-as-a-service or SaaS provider. With Freshdesk, organizations can:

  • Track and manage incoming questions or issues
  • Provide support across email, calls, chats, social media, and so forth
  • Collaborate with multiple teams
  • Automate redundant tasks
  • Provide a self-service portal for customers
  • Track and analyze employee performances

Healthcare organizations can use Freshdesk to streamline patient and internal communication and manage medical records.

LEARN ABOUTWhat HIPAA standards apply to personal health records (PHR)?

 

Is Freshdesk a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These entities perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Freshdesk and its ability to be HIPAA compliant. Freshdesk is a business associate of a healthcare organization if it is storing, processing, or transmitting PHI in the cloud.

RELATEDHow to know if you're a business associate

 

Freshdesk and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We checked the Freshdesk website for mention of a BAA and found updated pages (modified August 2, 2023) on HIPAA compliance:

Accordingly, the Freshworks BAA is limited to Freshdesk, Freshchat Freshcaller, and Freshdesk Omnichannel, products offered by the Freshworks Freshdesk suite. The HIPAA Configuration Guide further states, “The processing of any [electronic PHI (ePHI)] in any of our other products is not recommended and will not be covered within the scope of our BAA.”

 

Freshdesk, the cloud, and data security

In 2023, we created a HIPAA compliant checklist for cloud services to address its increasing use within healthcare. The cloud offers flexibility and convenience but also increases an organization's attack surface. Many cloud tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls.

Several web pages address Freshdesk security, including a support document from September 11, 2023. Freshdesk automatically uses a secure encrypted server, relying on Amazon Web Services for its security. Furthermore, the company employs such cyber features as data segregation, access controls, encryption, and data logs. At the same time, certain features need to be customized for HIPAA compliance; Freshdesk provides a list of custom specifications:

  1. Freshconnect must be disabled.
  2. Custom Mailbox must be turned on.
  3. IP Whitelisting must be used for approved IP addresses
  4. Security Assertion Markup Language (SAML) single-sign-on (SSO) must be enabled.
  5. Secure Sockets Layer (SSL) must be configured properly.

The company adds other recommendations for HIPAA compliant configurations such as data migration, data sanitization, and data encryption. Finally, users must independently configure other apps or features (such as email) related to Freshdesk to meet HIPAA compliance.

 

Is Freshdesk HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and Freshworks will sign a BAA for Freshdesk. While the company does secure its servers and data, it also states that users must set certain specifications themselves to be HIPAA compliant.

Conclusion: Freshdesk can be used as a HIPAA compliant cloud service but must be configured by the healthcare organization.

 

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

  • Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
  • Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
  • Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
  • Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.