HIPAA Compliant Helpdesk Software
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with health information has to comply with the standard. Jitbit Hosted Helpdesk is compliant with the HIPAA security standards and we have many medical institutions among our customers.
We regularly audit our app to make sure it complies with the HIPAA checklist, for all Technical Safeguards, Physical Safeguards and Administrative Safeguards. Some of the things we do regularly:
- A full security risks assessment once a year
- Employee training
- The data is encrypted at rest (disk storage)
- We encrypt all the backups and store extra copies in a separate data center in case of a natural disaster
Jitbit Helpdesk has multiple settings and features to prevent PHI violations, even by accident.
We'd be happy to sign a BAA with you and we will provide our standard BAA upon request.
We host all our servers on Amazon AWS. We chose them, among other things, for their strict security policies. As you can see on this page, all Amazon servers are HIPAA compliant. We also encrypt all our backups, enforce password policy for all users and use only secure encrypted network connections. In addition we log all destructive actions and we are protected by several firewalls and antivirus systems at both application and network layers.
We have signed a custom BAA with Amazon to comply with HIPAA, and we can provide this document upon request. Amazon is our only "subcontractor" since we're hosting the servers with their EC2 platform, and storing backups using their S3 service.
If some company claims they have been "HIPAA Certified" - run. They probably lie. HHS has stated several times that there is no HIPAA Certification process and that no organization has authority to certify HIPAA compliance. Therefore, no - we do not have any official certification. But we are undergoing regular audits, for example, PCI-compliance (our latest certificate can be found here).
Hosted version only!
Please note, that this information applies to the hosted version only. We cannot guarantee the safety of your data when the ticketing system is installed on your server. We do not know which mediums are being used to transfer or store PHI data, or if the IT people are regularly trained and educated.
Do I have to do anything on my side to ensure HIPAA compliance?
Yes. First of all - emails. Since the helpdesk software uses email to send out notifications to agents and the end-users, you will have tweak it a little bit. Because email is not a secure way to transfer your data, even if TLS-secured connection is being used on the email-server (it is on our server, by the way).
You have to go to the "Admin - Email settings" and do the following:
- Edit the email templates in the admin area to remove all the sensitive ticket information from messages (so the emails look generic, like "your ticket has been updated, click here")
- Disable file-attachments in the email notifications
- Or even disable email notifications completely