Help Scout and HIPAA

Help Scout maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by these regulations. HIPAA support is available on the Plus and Company plans only.

Signing a BAA with Help Scout

Help Scout will sign a business associate agreement (BAA) with your organization, which you can access from the links below. Our team will receive a notification of the signed BAA and we will turn on the HIPAA feature if you are on a Plus or Company plan.

General Overview

What's involved in HIPAA compliance?

We complete annual risk assessments and employee training as required by HIPAA. Additionally, we've gone to great lengths to ensure that data is properly secured and encrypted.

Where is Help Scout customer data hosted? 

With the exception of off-site backup and redundancy infrastructure, Help Scout is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in.

What sort of application security is in place? 

All Help Scout web application communications are encrypted over 256 bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions. 

Can I edit or remove PHI from a thread if needed? 

Yes. This is helpful if there are multiple parties involved in one conversation. Through a thread options menu, you can edit, delete, or hide thread contents. This prevents that information from being sent out again, or from being quoted in a future reply. 

Who has access to our Help Scout account? 

All Help Scout employees are able to access customer accounts for the sole purpose of lending a hand. We don't access customer accounts unless we're explicitly asked for help. 

Are we able to export our data if we decide to leave one day? 

All customer and conversation data can be accessed at any time via our Mailbox API. We're working on in-app export tools to make that process easier for folks without API knowledge. 

Can you sign our BAA, or make changes the Help Scout BAA upon request? 

Unfortunately, we're not able to have unique agreements with customers. We believe our BAAs accurately cover the scope of our relationship, and for legal reasons, cannot make adjustments to our BAAs. 

Integrations

Are your integrations HIPAA compliant? 

Official Integrations

All information that is sent between Help Scout and other systems (whether from Help Scout or from the other system) is encrypted in transit and at rest. For all integrations which use our API, you'll authenticate through OAuth 2. A Help Scout User account is necessary to authenticate, and the integration will have the same data access as that User. Only Administrators and Account Owners can install Company-wide integrations. 

Your privacy and security team will need to request more specific information from and potentially sign a BAA with any integration partners to maintain compliance. 

The majority of officially-supported third-party integrations between Help Scout and other systems don't involve Help Scout sending information back to the other system. Instead, they involve pulling in information from the other system in order to enrich what you see in Help Scout. In these integrations, no ePHI is sent back to the other system from Help Scout.

If the system with which you're integrating is storing PHI and could potentially pass it back to Help Scout, you'll need to sign a BAA with that system as well as with Help Scout. For official integrations where we could pass back PHI — examples include our CRM integrations, where you can create a record for someone who emails you and can update your record of them with a copy of the Help Scout conversation — we do pass data in a secure, encrypted fashion. You'll need to have a BAA signed with the other system in order to store your data in it. 

Unofficial Integrations

Help Scout has a fully-featured API, which means that you or a third party can build integrations with any other system. Help Scout will pass the data in a secure fashion, but cannot control what happens to the data once it leaves Help Scout's system. The app developers are responsible for ensuring HIPAA compliance for data once it leaves Help Scout. HIPAA compliance with your own app or any unofficial third party app will be up to your privacy and security team to investigate. 

Integration Removal

The authenticated User account can revoke access to an app from Your Profile > Authentication > Authorized Apps. Administrators can revoke access for individual Users by navigating to Manage > Users > [select user] > Authentication > Authorized Apps.

Administrators and Account Owners can review and uninstall Company-wide installed Apps by going to Manage > Apps

Security

Does Help Scout have a policy that identifies and determines controls regarding the proper use of workstations to support access and protection of ePHI?

All production data is in a VPC (virtual private cloud). Internal access is firewalled and users must be authenticated on the VPN and via multi-factor authentication to access anything.  

Do you have a security policy to help ensure the confidentiality, integrity, and availability of ePHI? Do you have a SOC2/3 report?

For documentation regarding how data is stored and protected when in use, and at rest, refer to the Help Scout Security Policy. For SOC2/3 reports, refer to AWS Cloud Security.

Does Help Scout have a security control policy (locked doors, surveillance cameras, alarms) to prevent theft of ePHI?

For documentation regarding physical location security, facility maintenance, and access control, refer to this white paper: Amazon Web Services: Security Overview

Do you have procedures for terminating access to systems containing ePHI when a team member is no longer employed at Help Scout?

End of employment processes are in place. VPN access is disabled, AWS and administrator access keys are terminated, and all access to PHI is revoked. Upon termination, employees are required to destroy remaining local data and return hardware to Help Scout. 

Have you taken steps to protect the organization from malicious software, including the application security patches?

Per internal IT policy, we only upgrade instances to stable release versions, or hosted HIPAA compliant SaaS offerings, and apply all security patches when released.

Have passwords been implemented that are unique to a user and comply with best practice components including password length, complexity, and duration?

We follow all NIST password guidelines for login based systems: https://pages.nist.gov/800-63-3/sp800-63b.html

Do you routinely conduct audits of your application, such as code reviews, static or dynamic code analysis, penetration tests, or vulnerability scans?

Yes. Code reviews and analysis are conducted by all engineers as a part of the development process. Help Scout third-party penetration testing at least annually, and PCI compliance scans at least quarterly.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still stuck? How can we help? How can we help?