The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, ManageEngine ServiceDesk Plus provides certain features (as described below) to help its customers use ServiceDesk Plus Cloud in a HIPAA compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
ServiceDesk Plus Cloud enables organizations secure their user's health-related information using the following features:
Mark and encrypt fields containing ePHI
Mark Resource Information containing ePHI
Anonymize and erase ePHI
Secure Data Export
Maintain ePHI log
When configuring an additional field, you can mark a field containing any confidential information as electronic Protected Health Information(ePHI) and encrypt the field. You can mark single-line, multi-line, phone, email, and numeric fields as ePHI.
To add an ePHI field,
Go to Setup >> Customization >> Additional Fields.
Select the required module from the drop-down. You can add ePHI fields to Requests, Requesters, and Technicians.
Click New Field.
Enter the Field Name and select the Field Type. You can mark single-line, multi-line, phone, email, and numeric fields as ePHI.
Enable the This field contains personally identifiable information(PII)/electronic protected health information(ePHI) of a user checkbox to mark the field as ePHI.
Enable the Encrypt this field checkbox to encrypt the data entered in the field.
Enter the Default Value and add additional information about the field in the Description.
Click Save.
You can also add ePHI fields for incident and service request templates when configuring the template. Click here to know more.
Resource information added to service request templates might contain sensitive data.
To mark a resource question as ePHI,
Go to Setup >> Templates & Forms >> Service Category.
Edit the required Service Item and go to the Resource Info tab.
Click 
beside the required resource. A confirmation window pops up. Click Yes to proceed.
Click
beside the required question.
Enable the checkbox This field contains personally identifiable information(PII)/electronic protected health information(ePHI) of a user at the bottom of the dialog box.
Click Save.
Click here to learn how to add a resource to service templates.
In ServiceDesk Plus Cloud, you can secure personal information of users leaving the organization by configuring privacy settings. With privacy settings, you can anonymize and erase all sensitive data of deleted users.
To anonymize and erase ePHI fields,
Go to Setup >> Users & Permissions >> Privacy Settings.
Under the Anonymize and Erase PII/ePHI tab, the deleted users will be listed along with the corresponding email address and the time of deletion.
Select the required users and click Anonymize. The Anonymize Users window pops up.
Enter a random text beside each name and click Replace. The selected username of the selected users will be replaced with the given text after which the user data will be permanently deleted from the application.
In ServiceDesk Plus Cloud, you can export sensitive data in a secure manner by embedding the data in a password protected zip file. The password protection applies to module-wise data export and reports exported or scheduled via email.
To enable password protection for your organization files,
Go to Setup >> Users & Permissions >> Privacy Settings.
Under the File Protection Password tab, select the Enable File Protection Password checkbox.
Enter a strong password under File Password. We recommend sharing this password with the intended users using a password sharing tool to ensure security.
Click Save.
ServiceDesk Plus Cloud automatically logs all actions related to ePHI fields across the application under Setup >> Data Administration >> PII/ePHI log. Clicking a log displays detailed information on the action as given in the below screenshot:
To export the logs, select the required duration using the available filters. Click Export as and choose whether to export the logs in CSV/XLS format.