Freshworks commitment towards HIPAA Compliance
As a SaaS based product provider, Freshworks offers several products. There could be instances when customers may use some of our products in their processing of electronic Personal Health Information(ePHI) in the normal course of their business operations. As per the Health Insurance Portability andAccountability Act (HIPAA) of 1996, should our customers get categorised as either Covered Entity orBusiness Associate, Freshworks may extend support to their compliance towards HIPAA by mutually executing a Business Associate Agreement (BAA).
The scope of BAA is limited to the Freshservice and Freshdesk products that are offered by Freshworks. Processing of any ePHI in any of our other products is not recommended and will not be covered within the scope of our BAA. This document sets forth the specifications that are categorised as Mandatory orRecommended for Customers (either Covered Entity or Business Associate) to adhere to while using Freshdesk to process ePHI. The validity of our BAA is subject to continued adherence by the Customers to mandatory specifications that are specified in this document. Further, Freshworks is not liable forCustomer's use of their custom mailbox and/or any Apps (as defined in Customer's agreement with Freshworks). We encourage Customers to independently configure these for their continued compliance with HIPAA.
Mandatory Configuration Specifications
IP Whitelisting: Whitelist specific IP addresses to enforce access to your support portal only from the sources that are authorised by you. Know more.
SAML SSO: Enable SAML SSO for users to access their support portal with unified identification and authentication and also to validate users logging into the portal using a locally hosted script. Security Assertion Markup Language (SAML) is a mechanism used for communicating identities between two web applications. It enables web-basedSingle-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft. Know more.
Custom Mailbox: Configure your own custom mail server with Freshdesk to get autonomous control on the incoming and outgoing emails. This lets you make sure that all your email transactions are outside Freshworks, and will be completely managed at your end. Know more.
SSL: Freshdesk offers a wildcard SSL for all users who have a support portal on a freshdesk.com domain. This can be used as long as you continue to use the default Freshdesk URL you signed up with (for example, yourcompany.freshdesk.com).However, the default SSL does not work when you've linked a custom domain name to your support portal (for example, support.yourcompany.com).In this case, you'll need to configure a custom SSL certificate provided by Freshdesk with your domain name. For this, you will need access to your domain control panel in order to add a DNS record to your custom domain. Know more.
Freshconnect: The Freshconnect feature in Freshdesk should remain disabled for allHIPAA enabled accounts.
Recommended Configuration Specifications
Data Sanitization: Mask ePHI data in the patient conversations by integrating with our own Data Masking app.
Data Encryption: Freshdesk allows you to add an encrypted a single line field in your forms. These encrypted fields can be added in places where adding a custom field is possible. There is no cap on the number of encrypted fields that can be used. Default fields cannot be encrypted to be HIPAA compliant.If the client decides to store PHI data in a non-encrypted field, Freshdesk cannot be held responsible for the same. Any sensitive PHI data needs to be stored as a custom encrypted field.
Secure Data Migration: Ensure secure migration of data, without data being stored with Freshworks in the local database, to comply with your data retention policy. You can contact our support on further details on how the migration works. For information on the information security practices followed at Freshworks, please refer here.
For more information or questions, please contact firstname.lastname@example.org.