As a SaaS-based product provider, Freshworks offers several products. There could be instances when customers may use some of our products to process electronic Personal Health Information (ePHI) in the normal course of their business operations. As per the Health Insurance Portability and Accountability Act (HIPAA) of 1996, should our customers get categorized as either Covered Entity or Business Associate, Freshworks may extend support to their compliance towards HIPAA by mutually executing a Business Associate Agreement (BAA).
The scope of BAA is limited to Freshdesk, Freshservice, Freshsales, Freshdesk Messaging, and Freshdesk Contact Center products that are offered by Freshworks. The processing of any ePHI in any of our other products is not recommended and will not be covered within the scope of our BAA. This document sets forth the Secured Operating Environment (SOE) that is mandatory for customers (either Covered Entity or Business Associate) to adhere to while using Freshdesk Contact Center to process ePHI. The validity of our BAA is subject to continued adherence by the customers to the specifications that are mentioned in this document. Further, Freshworks is not liable for customer's usage of their custom mailbox and/or any Apps (as defined in Customer's agreement with Freshworks). We encourage customers to independently configure these for their continued compliance with HIPAA.
Secure Operating Environment
- Call Recordings: Within Freshdesk Contact Center, it is important for HIPAA Compliant customers to configure call recordings according to their business needs. Call recordings are most likely to contain PHI. Freshdesk Contact Center offers multiple controls for this.
- Configure recording settings: disable call recordings for numbers where PHI will be discussed. Alternatively, you can choose to manually start recording in the middle of a specific call. Know more.
- Storing call recordings: if you enable call recording for a number, recordings are stored with encryption and can be accessed only with the necessary authentication within Freshdesk Contact Center. Alternatively, you can choose to store and manage call recordings directly in your own local server using our public APIs. Know more.
- Restricted access: Configure role-based access controls to ensure that access to your agents are limited based on their job responsibilities. Know more.
- SSL Certificate: Freshdesk Contact Center offers a default wildcard SSL for all users who have a support portal on a freshcaller.com domain. This can be used as long as you continue to use the default URL you signed up with (for example, yourcompany.Freshcaller.com).
- End-Point Security: ensure the end-point systems used by your agents are hardened and secured for protecting the health care data that they process. The systems shall be identified to specific agents, authenticated, configured to be automatically locked down in case of idleness, and secured from malware.
For information on the information security practices followed at Freshworks, please refer to https://www.freshworks.com/security/