HIPAA & BAA · Customer support
Is Zendesk HIPAA compliant?
Conditionally. Zendesk will sign a BAA, but only when you purchase the required Advanced Compliance/Advanced Data Privacy add-on, apply its mandated security settings, and execute the agreement.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Enterprise plan plus the Advanced Data Privacy and Protection (or Advanced Compliance) add-on; required security configurations enabled and the BAA executed via DocuSign.
- Official source: Zendesk — Business Associate Agreement — https://www.zendesk.com/company/business-associate-agreement/ (verified 2026-06)
How to use Zendesk in a HIPAA-compliant way
- On an eligible Enterprise plan, purchase the Advanced Security or Advanced Data Privacy and Protection / Advanced Compliance add-on.
- Enable the full set of security configurations Zendesk specifies for HIPAA-enabled accounts.
- Review and sign the Zendesk BAA (provided via DocuSign).
- Configure redaction, access logging, encryption, and data-retention policies as required.
- Train agents on HIPAA-compliant ticket handling and keep PHI within covered Service Data.
Important caveats
- Failing to meet the required security configuration can lead Zendesk to terminate the service.
- Only Service Data within the configured account is covered; out-of-scope integrations are not.
- Implementation/onboarding can take several weeks before the account is HIPAA-enabled.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Zendesk correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Zendesk.
Frequently asked questions
Does Zendesk sign a BAA?
On specific plans. Enterprise plan plus the Advanced Data Privacy and Protection (or Advanced Compliance) add-on; required security configurations enabled and the BAA executed via DocuSign. A signed BAA is required before any PHI is involved.
Is Zendesk HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Zendesk offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Zendesk with PHI?
Failing to meet the required security configuration can lead Zendesk to terminate the service.
