Freshworks commitment towards HIPAA Compliance
As a SaaS-based product provider, Freshworks offers several products. There could be instances when customers may use some of our products to process electronic Personal Health Information (ePHI) in the normal course of their business operations. As per the Health Insurance Portability and Accountability Act (HIPAA) of 1996, should our customers get categorized as either Covered Entity or Business Associate, Freshworks may extend support to their compliance towards HIPAA by mutually executing a Business Associate Agreement (BAA).
The scope of BAA is limited to Freshdesk, Freshservice, Freshsales, Freshcaller, and Freshchat products that are offered by Freshworks. The processing of any ePHI in any of our other products is not recommended and will not be covered within the scope of our BAA. This document sets forth the Secured Operating Environment (SOE) that is Mandatory for Customers (either Covered Entity or Business Associate) to adhere to while using Freshchat to process ePHI. The validity of our BAA is subject to continued adherence by the Customers to the specifications that are mentioned in this document. Further, Freshworks is not liable for Customer's usage of their custom mailbox and/or any Apps (as defined in Customer's agreement with Freshworks). We encourage Customers to independently configure these for their continued compliance with HIPAA.
Secure Operating Environment
1. IP Whitelisting: Whitelist specific IP addresses to enforce access to your Freshchat account only from the sources that are authorized by you. Know more.
2. Restricted access: Configure role-based access controls to ensure that access to your agents are limited based on their job responsibilities. Know more.
3. Identification and Authentication: Enable SAML SSO for users to access their Freshchat account with your unified identification and authentication system and also to validate users logging into the portal using your script. SAML is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft.
4. Data Sanitization: In addition, customers can truncate ePHI data in the patient conversations by using the data truncation feature in Freshchat, which accepts regex patterns. Customers have to reachout to the product support team (firstname.lastname@example.org) with the regex pattern to enable it on behalf of the customer. The responsibility for the correctness of the regex patterns will remain with the customer.
- Sanitisation of User Properties: Responsibility of the customer to sanitise before sending it to Freshchat
- Sanitisation of Chat Messaging: Supported, regex based truncation applied by Freshchat.
5. End-Point Security: Ensure the end-point systems used by your agents are hardened and secured for protecting the health care data that they process. The systems shall be identified to specific agents, authenticated, configured to be automatically locked down in case of idleness, and secured from malware.
6. Features and options to be configured:
- Disable FullContact Enrichment - In Hipaa compliance mode, user’s information should not be fetched from social media using Full contact. Hence a HIPAA compliant customer should opt-out of user enrichment option from FullContact through GDPR Settings (Settings> GDPR) in their Freshchat account.
- GDPR settings to be mandatorily enabled by the customer - More details below.
Customers of Freshchat should enable all the three GDPR settings,
a.) Turn-on opt-out of analytics,
b.) Turn-on opt-out of saving user IP address and
C.) Turn-on opt-out of user enrichment done through fetching social media data from Full-Contact.
- Co-Browsing - Customers should not enable co-browsing capability in order to be compliant with HIPAA.
- CSAT - Customer should keep the option “Ask for additional feedback after the user has rated the interaction” disabled. Enabling it, will have the risk of ePHI data being shared in the CSAT survey which is not protected by data sanitization/masking in Freshchat., Customers should not enable this option to adhere with HIPAA Compliance.
- Email Campaigns - If the customer uses the email campaigns feature, they need to ensure they configure a custom ‘reply to’ email address that does not come back to Freshworks but to a customer-managed email address.
7. Integrations & Apps not to enable:
Customers should not enable the following external integrations and marketplace apps,
- WhatsApp Business integration
- Facebook integration
- Apple Business Chat integration
- Slack integration
- Zendesk integration
- Clearbit integration
- Wordpress integration
- Shopify integration
- Any marketplace apps or API integrations with 3rd party systems that send user data or conversations data
- Any external bot vendor integrations via APIs or apps that send user data or conversations data
a. Notifications to Visitors:
As these notifications go through sub-processors like Google-Firebase, Apple Notification service, who don’t sign a BAA, customers should disable the push notification service for visitors using the below instructions to comply with HIPAA
i. Turning off Notification to Visitors on Web:
Default state is on, it can be disabled by customers using the following config code during widget init.
ii. Turning off Notification to Visitors on Mobile (mobile SDK):
Default state is off, unless explicitly enabled by the customer with customer-managed keys. Please do not enable this to comply with HIPAA.
b. Notifications to Agents:
Freshchat provides the capability to mask the notification message for agents into a generic "Got new message" from "User" instead of actual user name and actual message text. This is an account level setting. Please reach out to email@example.com while setting up the account, to enable this option to send generic/custom text (like “got new message”) instead of actual message at the account level for all Notifications to Agents. This option needs to be enabled in order to be compliant with HIPAA for all Agent Notifications.
For information on the information security practices followed at Freshworks, please refer to https://www.freshworks.com/security/
If you have any questions, please reach out to firstname.lastname@example.org.