The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. Endpoint Central provides certain features (as described below) to help its customers use Endpoint Central in a HIPAA compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Endpoint Central is an endpoint management solution, it collects endpoint asset information and performs actions based on the information collected. Endpoint Central does not collect any ePHI from endpoints automatically as well as manually and use them for an any functionality to perform actions.
For an organization that requires to be HIPAA compliant, we provide some security features/options, that can help them demonstrate HIPAA compliance of Endpoint Central:-
The Endpoint Central Agent follows the commands of the Endpoint Central Server and also updates the server with the required endpoint's inventory data. The agent pulls the instructions from the server periodically to execute the tasks. Using HTTPS mode of communication between the two components, makes the data transfer more secure and ensures its integrity.
Endpoint Central offers to create predefined and customized reports according to business needs. If a category of the reports happens to be a personally identifiable information(PII), it can be masked/hidden using Export Settings in Endpoint Central. The PII of a user is protected and remains unavailable to outsiders.
Endpoint Central enables customers to create their own hierarchy of users, each having different permissions of access to information, by using the defined scope and roles to ensure that all privileges with respect to data accessibility are fulfilled. To understand the scope and roles in detail, you can refer to : Role Based Administration.
Using Endpoint Central, a message can be prompted to the end user which enables them to grant access to a technician by accepting the initiated remote control session. The access is denied when the request is rejected. This prevents the misuse of the Remote Control feature and accidental exposure of personal data of customers. To gain further insight on remote control configuration for access control, please refer to the document : Remote Desktop Sharing.
Endpoint Central is enabled with the feature of Remote Control and screen capture during remote sessions. The screen recording file, which is stored in the server directory is password protected to ensure data integrity. The screen recorded file can only be viewed by Endpoint Central console users with access to the Remote Control module.
Endpoint Central secures the chat history files stored in the server directory using a password. The files are only accessible to Endpoint Central users who have access to the Chat module.
Endpoint Central's action log viewer contains the logs of activities performed by technicians through the product console and important events that were performed on the agent computers. Customers can review them periodically and stay vigilant about suspicious activity. The log activities will be stored in product for maximum 750 days. To know further details about Endpoint Central's audit user access, please refer to the document : Audit User Access.
In addition to the above features, following the security guidelines of Endpoint Central will further tighten your Endpoint Central Server's security.
ManageEngine Endpoint Central has also certified for the ISO, SOC 2 Type 2. Please refer the following : Compliance Document.
To understand how using Endpoint Central's endpoint management features make your network HIPAA compliant, please refer to the document : Endpoint Central HIPAA Compliance.
Disclaimer : The above content is not legal advice. Please contact your legal advisor to know about HIPAA's application and impact specific to your organization and the processes involved to be HIPAA compliant.