Learn
HIPAA-Ready Helpdesk.
Self-Hosted. From $149/Year.
No BAA negotiation. No premium compliance tier. No third-party data handler. Your helpdesk runs on your infrastructure, under your policies.
The Problem
Cloud helpdesks make HIPAA expensive.
Support tickets routinely contain protected health information: patient account numbers, medical records referenced in context, system credentials, internal operational details. In a cloud helpdesk, all of that lives on the vendor’s infrastructure.
HIPAA requires a Business Associate Agreement with any third party that handles PHI. Most helpdesk vendors only offer BAAs on their highest-tier plans.
Zendesk requires the Enterprise plan ($209/agent/month) for HIPAA eligibility. At 25 agents, that’s $62,700/year before any add-ons. The compliance requirement isn’t optional. The pricing tier that satisfies it is the vendor’s most expensive product.
The Alternative
When you host the software, the BAA question disappears.
A BAA is required when a third party handles protected health information on your behalf. When your helpdesk runs on your own servers, there is no third-party data handler. You are the sole custodian of the data.
osTicket Awesome is self-hosted. Your servers, your database, your network. PHI never leaves your infrastructure. The compliance conversation shifts from “negotiate a BAA with your vendor” to “configure your own systems correctly,” and you already have the policies and procedures in place for everything else you run.
Technical Safeguards
How osTicket Awesome maps to HIPAA requirements.
osTicket Awesome is a software tool, not a compliance certification. No vendor can make you HIPAA compliant. What self-hosting gives you is complete control over every technical safeguard HIPAA requires.
| HIPAA Requirement | How osTicket Awesome Helps |
|---|---|
| Encryption at rest | ✓ You configure database encryption on your infrastructure |
| Encryption in transit | ✓ SSL/TLS on your web server (standard Apache/nginx configuration) |
| Access controls | ✓ Role-based permissions per agent and department, granular and configurable |
| Unique user identification | ✓ Individual agent accounts with enforced authentication |
| Automatic logoff | ✓ Configurable session timeout |
| Audit logging | ✓ Audit Log plugin pre-installed. Every action tracked, CSV-exportable |
| Authentication | ✓ Password policy enforcement, OAuth2, SSO passthrough, LDAP/AD |
| Two-factor authentication | ✓ TOTP-based 2FA plugin pre-installed for all agent accounts |
| Data residency | ✓ Data stays on your servers. You choose the physical location |
| Backup and recovery | ✓ Your backup strategy, your retention policy, your DR plan |
| Minimum necessary | ✓ Department-level queue isolation. Agents see only their scope |
Every item in the right column is either a built-in feature or something you control because the software runs on your infrastructure. No vendor dependency. No premium tier gatekeeping.
The Math
HIPAA-aligned from day one. At every price point.
Cloud vendors gate compliance features behind their most expensive tiers. osTicket Awesome includes every security plugin, every access control, every audit capability at every pricing tier.
| osTicket Awesome | Zendesk (HIPAA-eligible) | Freshdesk Enterprise | |
|---|---|---|---|
| 10 agents | From $149/yr | $25,080/yr | $9,480/yr |
| 25 agents | From $149/yr | $62,700/yr | $23,700/yr |
| 50 agents | From $149/yr | $125,400/yr | $47,400/yr |
| BAA required | ✓ No | Yes (Enterprise only) | Yes (varies) |
| 2FA included | ✓ All tiers | All tiers | Higher tiers |
| Audit log | ✓ All tiers | Varies by plan | Enterprise only |
| Data location | ✓ Your servers | Vendor’s cloud | Vendor’s cloud |
| Source code audit | ✓ Full access | Not available | Not available |
Important
What “HIPAA-ready” means. And what it doesn’t.
osTicket Awesome is not HIPAA-certified. No software is. HIPAA certifies organizations, not products.
What self-hosting gives you is complete control over the technical safeguards HIPAA requires: encryption, access controls, audit trails, authentication, and data residency. Whether your organization achieves HIPAA compliance depends on your policies, your procedures, your training, and your infrastructure as a whole.
What we can say with confidence: osTicket Awesome removes the vendor dependency from your compliance posture. You don’t need to negotiate a BAA. You don’t need to pay for a premium tier to unlock security features. You don’t need to trust a third party with your most sensitive data. The tools are included, the source code is auditable, and the data never leaves your network.
Need help with implementation? Professional services are available for organizations with specific compliance requirements.
Common Questions
Questions from compliance officers and IT directors.
Do we need a BAA with osTicket Awesome?
No. A BAA is required when a third party handles PHI on your behalf. osTicket Awesome is self-hosted on your infrastructure. There is no third-party data handler. You are the sole custodian.
Is osTicket Awesome HIPAA certified?
No software is HIPAA certified. HIPAA certifies organizations, not products. osTicket Awesome provides the technical tools (encryption, access controls, audit logging, 2FA, role-based permissions) that help satisfy HIPAA’s technical safeguard requirements.
Can we deploy on our existing hospital infrastructure?
Yes. osTicket Awesome runs on any server with PHP and MySQL/MariaDB. Linux or Windows. On-premise, private cloud, or within your existing hospital network.
Can we audit the source code?
Yes. osTicket Awesome ships with full, unobfuscated source code. Your security team can review every line. Compare this to SaaS vendors (no source access) or competitors like SupportPal (ionCube-encrypted source code).
What about HITECH?
The HITECH Act strengthened HIPAA’s enforcement provisions and extended requirements to business associates. Because osTicket Awesome is self-hosted (no business associate relationship), the HITECH BA requirements don’t apply to your helpdesk vendor relationship. Your organization’s own HITECH obligations remain unchanged.
Can different departments have separate access levels?
Yes. Each department gets its own queue, intake forms, SLA targets, and agent assignments. Role-based access control ensures agents see only what they need. Patient services agents cannot see IT tickets. Billing cannot see facilities work orders.