HIPAA compliance in ADManager Plus

ManageEngine ADManager Plus offers the below options to use the product in a HIPAA-compliant manner.

1. Marking fields that contain ePHI
2. Securing ePHI data
3. Recording ePHI-related activities through audit logs

Note: By default, ADManager Plus does not collect any ePHI from its users.

Marking PII and ePHI in Custom Attributes

Using this option, the admin can mark any sensitive data fields in custom attributes as PII or ePHI and distinguish them from other fields.

To do this:

1. Log in to the ADManager Plus console and navigate to the Admin tab.
2. Click LDAP Attributes listed under Custom Settings.
3. Click the Add Attribute button.
4. Enter the details of the custom attributes, such as their Display Name, LDAP Name, Data Type, Associated Reports, and Associated Management in the respective fields.
5. If the LDAP name entered is ePHI, then check the This field contains PII/ePHI information of an object. box to mark it as ePHI.
6. Click Add to complete the operation.

Secure ePHI

a) Securing exported data

ADManager Plus offers password-protection for exported reports, database backup, and archived audit report files. This password protection can be applied to any report that is exported or scheduled via email.

To enable password protection for exported reports, follow these steps:

1. Log in to the ADManager Plus console and navigate to the Admin tab.
2. Select Security and Privacy listed under General Settings.
3. Under Data Security in Privacy Settings, check the Exported reports box.
4. Enter the password. Note that this password has to be entered to view the exported reports or scheduled reports.
5. Click Save.

b) Securing ePHI stored in the database

The sensitive data stored in databases—such as ePHI, passwords, and auth-tokens—are encrypted using 256-bit Advanced Encryption Standard (AES). The product database resides in the customer environment alone, and it can only be accessed by providing instance-specific credentials. The passwords stored are one-way hashed using bcrypt and are filtered from all of our logs. As bcrypt hashing algorithm with per-user-salt is used, it would be highly time-consuming to reverse engineer the passwords.

Audit logs

ADManager Plus registers all the attempts made by users to access ePHI along with what action was done with the accessed data through audit logs.

Additionally, when any ePHI is identified in the message body, the product will display it in a confirmation dialog box to ensure that no ePHI information is entered accidentally. This applies to any text entered in the Message body in the Webhook Template and Notification Template features.