Last updated: 2024-11-19

Source: https://support.freshservice.com/support/solutions/articles/238705-freshworks-commitment-towards-hipaa-compliance

Note: We've updated our* pricing and packaging .*

As a SaaS based product provider, Freshworks offers several products. There could be instances when customers may use some of our products in their processing of electronic Personal Health Information (ePHI) in the normal course of their business operations. As per the Health Insurance Portability and Accountability Act (HIPAA) of 1996, should our customers get categorised as either Covered Entity or Business Associate, Freshworks may extend support to their compliance towards HIPAA by mutually executing a Business Associate Agreement (BAA).

The scope of BAA covers all products that are offered by Freshworks. Processing of any ePHI in any of our other products is not recommended and will not be covered within the scope of our BAA. This document sets forth the specifications that are Mandatory for Customers (either Covered Entity or Business Associate) to adhere to while using Freshservice to process ePHI. The validity of our BAA is subject to continued adherence by the Customers to the specifications that are mentioned in this document. Further, Freshworks is not liable for Customer's use of their custom mailbox and/or any Apps (as defined in Customer's agreement with Freshworks). We encourage Customers to independently configure these for their continued compliance with HIPAA.

Configuration Specifications

  • IP Restriction: Restrict specific IP addresses to enforce access to your support portal only from the sources that are authorised by you. Know more
  • Identification and Authentications: It is important that strong identification and authentication rules are configured for users. You could either integrate our product with your own Security Assertion Markup Language (SAML) service or configure the authentication parameters (Password Policy Configuration and Session Timeout) that are within Freshservice.

    • - SAML SSO: Enable SAML SSO for users to access their support portal with unified identification and authentication and also to validate users logging into the portal using a locally hosted script. SAML is a mechanism used for communicating identities between two web applications. It enables web-based Single Sign On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft. For more details, see Configure SSO and Setting up SSO Policies.

    - Password Policy Configuration: You can set up different levels of password security using Freshservice for your agents and requesters. This includes applying your specifications across password length, password age, password history, and password complexity.

    - Session Timeout: Configure session duration for your users to automatically expire the session after a preset duration of inactivity in the system. Know more.

  • Restricted access: Configure role based access controls to ensure that access to your agents are limited based on their job responsibilities. Know more.
  • SSL Certificate: Freshservice offers a default wildcard SSL for all users who have a support portal on a freshservice.com domain. This can be used as long as you continue to use the default Freshservice URL you signed up with (for example, yourcompany.freshservice.com). However, the default SSL does not work when you have pointed a custom domain name to your help desk portal (for example, helpdesk.yourcompany.com).

    • In this case, you will have to configure a custom SSL certificate provided by Freshservice with your domain name. For this, you will need access to your domain control panel in order to add a DNS record to your custom domain. You can request for a SSL certificate from Freshservice without any additional charges. Know more

  • Custom Mailbox: Configure your own custom mail server with Freshservice to get autonomous control on the incoming and outgoing emails. This functionality lets you make sure that all your email transactions are outside Freshservice, and will be completely managed at your end. Know more
  • Email Notifications: For the HIPAA specific accounts, sensitive fields should not be included in the notifications contents.
  • Team Huddle: The team huddle feature in Freshservice should remain disabled for all HIPAA enabled accounts.
  • Data Sanitization: In addition, you could mask ePHI data in the patient conversations by integrating with your own Data Masking app. Know more

    • For information on the information security practices followed at Freshworks, please refer to https://www.freshworks.com/security/