Freshsales is a cloud-based customer relationship management (CRM) solution that helps companies personalize engagement and simplify tasks. Many healthcare organizations use CRM to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with HIPAA compliant platforms.
Sensitive protected health information (PHI) must be safeguarded under HIPAA in the healthcare industry. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Freshworks does not include Freshsales under its updated BAA, and Freshsales may not be HIPAA compliant.
Freshsales, a CRM product from the company Freshworks, lets businesses across different industries manage interactions. Freshworks is a software-as-a-service or SaaS provider. The Freshsales platform is designed to be user-friendly and intuitive. It is also customizable to meet organization’s needs.
Healthcare CRM refers to a centralized hub for patient information, communication, and administrative tasks. Features of Freshsales that healthcare organizations can use include:
Healthcare organizations can use Freshsales to streamline patient and internal communication.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Freshsales and its ability to be HIPAA compliant. Freshsales (Freshworks) is a business associate of a healthcare organization if it is storing, processing, or transmitting PHI.
RELATED: How to know if you're a business associate
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We checked the Freshworks website for mention of its BAA and found updated pages (modified August 2, 2023) on HIPAA compliance:
Commitment toward HIPAA Compliance
Accordingly, the updated Freshworks BAA is limited to Freshdesk, Freshchat Freshcaller, and Freshdesk Omnichannel, products part of the Freshworks Freshdesk suite. Freshsales was included in a BAA-related list from June 2020, but not on the page from 2023.
The newer HIPAA Configuration Guide further states, “The processing of any [electronic PHI (ePHI)] in any of our other products is not recommended and will not be covered within the scope of our BAA.”
In 2023, we created a HIPAA compliant checklist for CRM services to help healthcare organizations find a compliant company. A good CRM platform organizes patient data efficiently, reduces work time, improves marketing strategy, and personalizes customer interaction. Many CRM systems are available to healthcare organizations, but not all meet HIPAA requirements of encryption, data backup, and access controls.
Several web pages address Freshworks security, including a support document from September 11, 2023. Freshworks automatically uses a secure encrypted server, relying on Amazon Web Services for its security. Furthermore, the company employs such cyber features as data segregation, access controls, encryption, and data logs. At the same time, certain features need to be customized for HIPAA compliance; Freshworks provides a list of custom specifications:
The company adds other recommendations for HIPAA compliant configurations such as data migration, data sanitization, and data encryption. Finally, users must independently configure other apps or features (such as email) related to Freshworks to meet HIPAA compliance.
The BAA is a necessary component of HIPAA compliance, and Freshworks does not include Freshsales in its updated list of BAA-available products. Conclusion: Freshsales may not be HIPAA compliant.
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA: