HIPAA Compliance

ManageEngine ServiceDesk Plus On-Premise provides various ways for healthcare organizations to comply with HIPAA guidelines and secure and restrict the export of individuals' health information (ePHI).

The application admins can ensure HIPAA compliance by performing the following steps:

1. Marking fields that contain PII or ePHI: To collect and process ePHI from users, we recommend you do so using additional fields and marking them as fields containing PII or ePHI. This enables you to anonymize or delete these fields when the user is removed from ServiceDesk Plus.

2. Encrypting PHI or ePHI fields: ePHI fields can be encrypted for additional security. By default, the encryption option will be selected while marking the ePHI field. You can uncheck the encryption option if required. Though field encryption is not mandatory in ServiceDesk Plus, we strongly recommend you to enable encryption for protection of stored data. 

• Controls For data transfer to third-party apps: The encrypted fields are accessible to third-party applications via APIs. However, the access is restricted based on the,

  • Roles and Permissions of technicians whose API key is used for API operations.

  • Authtoken through which the API call is authenticated.

3. Anonymization or Erasure of Confidential Data: Fields that are marked as PHI/ePHI can be anonymized or erased when the corresponding user has left the organization.

4. Secure Export of Sensitive Data: Export of sensitive data can be secured by configuring a file protection password. By enabling this, a unique password will be created for files generated by each user with login permission and a common password can be configured for users without login permission. Based on discretion, the common password can be shared with users who do not have login access to ServiceDesk Plus to access password-protected files.

As an on-premises software application, ServiceDesk Plus does not share or transfer your data out of your local servers. Only information about licensing, payments, and support services is shared with ManageEngine, and this data is not shared with anyone else. Our employees do not have access to personal data collected and processed through ServiceDesk Plus.

Configurations for HIPAA compliance

Configuring HIPAA-related Additional Fields

You can configure HIPAA-related additional fields for supported modules by marking them as fields containing PII or ePHI and also enabling encryption for those fields. To do this, follow these steps:  
   

1. Go to Admin > Customization > Additional Field.

2. Select your preferred module: Incident, Service, User, or Technician.

3. Click New Field.

4. Choose your preferred field type: Single Line, Pick List, Multi Line, Numeric, or Date/Time.

5. Select the option below:

• Holds personally identifiable information (PII): For incident or service additional fields.

• Holds PII/ePHI - For user or technician additional fields.

6. Encrypt the Field: Select this option to encrypt the field. This option is not supported for Numeric or Date/Time type fields. However, you can create a single line field with the Allow numbers only option, and select Encrypt the Field option. For example, if your organization wants to store social security number (SSN), you can create a single line field and configure the following options:

• Encrypt the Field: Enabled
• Value Length: Set to 9
• Allow only numbers: Enabled

7. Configure other necessary field properties.

8. Finally, click Save.

• Additional fields with the Encrypt the Field option enabled will not be included in the reports generated by ServiceDesk Plus.
• Encrypted fields will not be synced with integrated applications such as Analytics Plus, Zoho Analytics, or any other third-party applications. 
• The option to encrypt a field is available only at the time of creating a new field. You cannot enable or disable encryption for a field by editing the field.
• ServiceDesk Plus encrypts fields using the following methods based on the database used:
  • Encryption is performed using the pgcrypto module of Postgres in setups using the bundled PostgreSQL.
  • Encryption is performed using the master key, symmetric key, and certificate in setups using Microsoft SQL Server.   
• In ESM-enabled setups, you can configure user additional fields for users (requesters and technicians) across all instances from ESM Directory > User Management > User - Additional Fields and configure necessary security options.

 Enable Anonymization  

You can configure ServiceDesk Plus to anonymize or delete fields containing sensitive user information when the user is deleted from the application, typically when the user has left the organization. To configure anonymization, follow the steps below:

• For all fields in single-instance setups or instance-specific fields in multi-instance setups :

1. Go to Admin > Users & Permission > Privacy Settings.

2. Select Show option to anonymize user data while deletion.

3. Now, select the fields to which anonymization should be applied and click Save.

• For application-wide user fields in multi-instance setups:

1. Go to Admin > Users & Permission > Privacy Settings.

2. Select Show option to anonymize user data while deletion.

3. Click Save.

When the Show option to anonymize user data while deletion option is enabled and a user is removed from ServiceDesk Plus, an option to delete the sensitive fields or anonymize them will be shown.

The anonymization option is supported for both default fields that contain sensitive information and for additional fields that are marked as containing PII or ePHI. If additional fields are marked as fields containing PII or ePHI, then these fields will be listed under Admin > Users & Permission > Privacy Settings.

Enable Password Protection 

To protect sensitive data in files generated by ServiceDesk Plus from unauthorized access, ServiceDesk Plus allows you to configure file protection passwords. To do this, follow the steps below:

1. Go to Admin > Users & Permission > Privacy Settings.

2. Select Enable File Protection Password.

3. Common Password: Provide a common password that can be shared with users who do not have login permission to access files generated by ServiceDesk Plus.

4. Finally, click Save.

After the Enable File Protection Password option is enabled, a unique password is generated for each user with login access to ServiceDesk Plus when they export a file from ServiceDesk Plus for the first time. The password can be accessed by the users by clicking their user profile icon and selecting Change Password. The users can configure their own passwords.

Retrieving the audit log  

ServiceDesk Plus supports generating audit logs for fields marked as PII/ePHI with View, Edit, Add, or Delete permissions. Organizations can enable Enable scheduled data deletion to configure the retention period up to a maximum of 10 years. To learn more, click here.  For assistance in generating reports, contact support.

Disable HIPAA compliance  

You can disable HIPAA compliance by specifically disabling the respective security configurations as discussed below:

Disable Additional Field Security Configuration

1. Go to Admin > Customization > Additional Field.

2. Select your preferred module: Incident or Service.

3. Click Edit.

4. Disable Holds personally identifiable information (PII).

5. Finally, click Update.

• Option to disable Holds PII/ePHI is available for the user and technician additional fields.
• Encryption once enabled cannot be disabled for any additional fields.

Disable Anonymization

To disable the anonymization of fields containing sensitive information, follow the steps below:

• For all fields in single-instance setups or instance-specific fields in multi-instance setups :

1. Go to Admin > Users & Permission > Privacy Settings.

2. Unselect the fields for which anonymization must be disabled.

3. Finally, click Save.

• For application-wide user fields in multi-instance setups:

1. Go to Admin > Users & Permission > Privacy Settings.

2. Unselect the fields for which anonymization must be disabled.

3. Finally, click Save.

 Disable File Protection Password

To disable the file protection password,

1. Go to Admin > Users & Permission > Privacy Settings.

2. Disable Enable File Protection Password.

3. Click Save. 

Other security-related features that ServiceDesk Plus offers
 

1. Role-based Access

2. User-specific Field Visibility

3. Data security

4. ISO and SOC 2 certificates