ServiceNow is a cloud-based tool used to manage, track, and resolve help requests. Michigan Medicine uses ServiceNow for IT help requests.
ServiceNow is a university contracted-for service provided by ServiceNow and the U-M agreement includes confidentiality and security clauses. ServiceNow is ISO 27001-certified and provides a secure environment in which to maintain or share the university's sensitive unregulated data, as well as some types of sensitive regulated data.
U-M's agreement with ServiceNow includes a Business Associate Agreement. This means individuals may use this service to maintain Protected Health Information (PHI) regulated by HIPAA. The Michigan Medicine instance of ServiceNow is designed to store PHI in encrypted fields, and access to those fields is limited to those with a business need to access the data.
Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in ServiceNow are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Obtaining all necessary data-sharing agreements and Business Associate Agreements for using and disclosing PHI.
- Following any additional steps required by your unit to comply with HIPAA.
While ServiceNow provides a secure environment, and could contain Social Security numbers, it is not designed to store or maintain this type of data. Users should use UMIDs instead of Social Security numbers when an employee ID number is necessary.