The short answer - Yes
- All state and federal data security requirements have been met by ZenDesk and DBHDD to ensure HIPAA compliance.
- You do not need to take additional steps to encrypt information when sending it to DBHDD via ZenDesk.
- Each user will have to log in to the platform in order to access tickets to ensure data security.
The long answer:
The State of Georgia has a number of data security requirements in order for any state agency to be able to contract with a third-party vendor for services that involve the transfer or management of sensitive Protected Health Information (PHI) that would require compliance with the Health Insurance Portability and Accountability Act (HIPAA). In addition, DBHDD has its own agency requirements to protect the sensitive data and information of the agencies we work with and the individuals we serve.
ZenDesk provided DBHDD and the State of Georgia (SoG) with all required documentation to ensure it meets all of the state and departmental requirements.
SoG/DBHDD data requirements that were met include the following:
- Platforms utilized by DBHDD involving PHI must be HIPAA compliant.
- DBHDD data is only stored in US data centers.
- DBHDD data is not co-mingled with data from other entities.
- DBHDD data is encrypted "in transit". All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit.
- DBHDD data is encrypted while "at rest". ZenDesk service data is encrypted at rest in AWS using AES-256 key encryption.
- DBHDD maintains complete ownership of its data.
This also included the submission of ZenDesk's SOC-2 report to DBHDD prior to approval of a contract.
- "SOC stands for 'System and Organization Controls'. A SOC 2 report is designed to provide assurances about the effectiveness of controls in place at a service organization that are relevant to the security, availability, or processing integrity of the system used to process clients’ information, or the confidentiality or privacy of that information."
Further information on ZenDesk's security efforts can be found on ZenDesk's website regarding their security measures.
Only authorized DBHDD employees have access to the backend of the platform. Staff must use 2-Factor Authentication (2FA) when accessing ZenDesk. DBHDD staff are also required to participate in regular IT data security trainings as part of departmental protocol.