# HIPAA Compliance ## HIPAA Compliance with Endpoint Central The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires [Covered Entities and Business Associates](https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html) to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. Endpoint Central provides certain features (as described below) to help its customers use Endpoint Central in a HIPAA compliant manner. HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com. ## Features in Endpoint Central that helps customers with HIPAA Compliance Endpoint Central is an endpoint management solution. It collects endpoint asset information and performs actions based on the information collected. Endpoint Central does not collect any ePHI from endpoints automatically or manually, nor does it use such data for any functionality to perform actions. For an organization that requires HIPAA compliance, we provide some security features/options that can help demonstrate HIPAA compliance of Endpoint Central: ## 1) HTTPS Communication between agent and server The Endpoint Central Agent follows the commands of the Endpoint Central Server and also updates the server with the required endpoint inventory data. The agent pulls instructions from the server periodically to execute tasks. Using HTTPS mode of communication between the two components makes the data transfer more secure and ensures its integrity. ## 2) Masking PII (Personally Identifiable Information) Endpoint Central offers predefined and customized reports according to business needs. If a category of reports includes personally identifiable information (PII), it can be masked or hidden using Export Settings in Endpoint Central. The PII of a user is protected and remains unavailable to unauthorized individuals. ## 3) Privileged Access Control Endpoint Central enables customers to create their own hierarchy of users, each having different permissions to access information, by using defined scopes and roles to ensure that all privileges with respect to data accessibility are fulfilled. To understand scopes and roles in detail, refer to: [Role Based Administration](https://www.manageengine.com/products/desktop-central/role-based-administration.html) ## 4) Obtaining consent prior to remotely accessing systems Using Endpoint Central, a message can be prompted to the end user, enabling them to grant access to a technician by accepting the initiated remote control session. Access is denied when the request is rejected. This prevents misuse of the Remote Control feature and accidental exposure of personal data. For further insight on remote control configuration for access control, refer to: [Remote Desktop Sharing](https://www.manageengine.com/products/desktop-central/remote-control-prompt-how-to.html) ## 5) Password protected remote control files Endpoint Central includes Remote Control and screen capture during remote sessions. The screen recording file, stored in the server directory, is password protected to ensure data integrity. The screen recorded file can only be viewed by Endpoint Central console users with access to the Remote Control module. ## 6) Password protected chat history files Endpoint Central secures chat history files stored in the server directory using a password. These files are accessible only to Endpoint Central users who have access to the Chat module. ## 7) Audit Trail Endpoint Central's action log viewer contains logs of activities performed by technicians through the product console and important events performed on agent computers. Customers can review them periodically and stay vigilant about suspicious activity. Log activities are stored in the product for a maximum of 750 days. For further details about audit user access, refer to: [Audit User Access](https://www.manageengine.com/products/desktop-central/audit-user-access.html) In addition to the above features, following the [security guidelines of Endpoint Central](https://www.manageengine.com/products/desktop-central/security-recommendations.html) will further strengthen your Endpoint Central Server's security. ManageEngine Endpoint Central has also been certified for ISO and SOC 2 Type 2. Refer to the following: [Compliance Document](https://www.zoho.com/compliance.html) To understand how using Endpoint Central's endpoint management features can help make your network HIPAA compliant, refer to: [Endpoint Central HIPAA Compliance](https://www.manageengine.com/products/desktop-central/hipaa-compliance.html) **Disclaimer: The above content is not legal advice. Please contact your legal advisor to understand HIPAA's application and impact specific to your organization and the processes involved in becoming HIPAA compliant.**