HIPAA Onboarding and Security Guidelines for BoldDesk Users

Overview

BoldDesk is a ticketing system designed to support HIPAA compliance for organizations managing Protected Health Information (PHI). When configured appropriately, BoldDesk ensures secure data handling in alignment with HIPAA standards. This guide outlines the onboarding process, security configurations, and feature limitations for HIPAA-compliant usage.

HIPAA onboarding process

To begin using BoldDesk in a HIPAA-compliant manner, follow these steps:

1. Reach out to BoldDesk Support to initiate the HIPAA onboarding process.
2. Review and sign the Business Associate Agreement (BAA) you received from BoldDesk’s legal team.
3. After signing the BAA, BoldDesk will activate HIPAA-compliant features for your account.
4. Configure your ticketing workflows to ensure they meet HIPAA requirements.

Understanding the BAA

A Business Associate Agreement (BAA) is a legal contract between a HIPAA-covered entity (e.g., a healthcare provider) and a service provider (business associate) that handles PHI. It ensures both parties adhere to HIPAA regulations.

How to obtain a BAA

To obtain a business associate agreement with BoldDesk, follow these steps:

1. Contact BoldDesk to request a BAA.
2. Review the agreement with your legal or compliance team.
3. Sign the BAA electronically (e.g., via BoldSign).
4. Confirm that HIPAA-compliant features are enabled post-signing.

Security configuration guidelines

Proper configuration is essential to safeguarding PHI and maintaining HIPAA compliance. Below are some guidelines for protecting PHI.

Data encryption

• Ensure encryption of PHI both at rest and in transit.
• Use secure transmission protocols such as HTTPS and TLS.

Redact sensitive data

• Enable redaction to add an extra layer of protection.
• Redacted data is stored in the database in a non-reversible format, ensuring it cannot be retrieved.

Custom email server

• HIPAA mode restricts email sending/receiving within BoldDesk to protect sensitive data.
• You can configure a custom email server (e.g., IMAP) to manage email syncing securely.

Access controls

• Implement Role-Based Access Control (RBAC) to limit access to PHI.
• Restrict PHI field access to authorized personnel only.

Audit trails

• Enable activity logging and monitoring.
• Maintain detailed logs for access, modifications, and deletions of PHI.
• Regularly review logs for any suspicious or unauthorized activity.

Staff training

• Conduct HIPAA training for all staff handling PHI.
• Educate employees on identifying and reporting security incidents.
• Provide clear guidelines for secure communication and data handling.
• Keep records of training sessions and updates.

Ongoing compliance reviews

• Schedule quarterly or biannual HIPAA audits.
• Review system configurations, access logs, and PHI usage.
• Update policies and procedures based on audit outcomes.
• Ensure all third-party integrations are HIPAA-compliant.

PHI field enablement

Once the BAA is signed:

• You can designate specific fields in BoldDesk that contain PHI.
• These fields are protected with enhanced encryption and access controls.
• PHI fields are excluded from non-compliant features such as email notifications and AI processing.

Feature restrictions post-BAA

To maintain HIPAA compliance, the following features are disabled after signing the BAA:

• ❌ Email services – Restricted to avoid ePHI exposure through emails.
• ❌ AI services – Disabled to prevent unintended data processing.
• ❌ Omnichannel – Restricted use of non-compliant communication channels (e.g., Facebook, Twitter, WhatsApp, Instagram, Telegram, and Line App).
• ❌ Push notifications – Disabled to prevent sensitive data leaks via alerts.
• ❌ Live Chat – ePHI fields not supported.
• ❌ CSAT surveys – Restricted to avoid PHI exposure through feedback.