Is ServiceNow HIPAA Compliant?

ServiceNow is an enterprise IT service management platform used by large health systems and hospitals to manage IT service requests, change management, HR cases, and operations. Small medical clinics do not use it. It is built for organizations with substantial IT infrastructure and dedicated operations teams.

Whether ServiceNow requires a BAA depends on what flows through service tickets.

Note: ServiceNow’s product offerings, hosting configurations, and HIPAA BAA terms are updated periodically. Contact ServiceNow directly or review your existing contract terms to confirm current coverage before routing PHI through ServiceNow.

ServiceNow’s HIPAA BAA

ServiceNow offers HIPAA Business Associate Agreements for healthcare customers. BAA availability depends on:

• The specific ServiceNow products in use (the platform has dozens of modules and applications)
• The hosting configuration (ServiceNow’s own cloud infrastructure vs. government or specialty hosting regions)
• The terms of the specific enterprise agreement in place

Confirm BAA coverage with your ServiceNow account team. Make sure the BAA explicitly covers the specific modules in use, not just the base platform.

When IT Tickets Contain PHI

The primary HIPAA consideration for ServiceNow in healthcare settings is whether IT service management tickets contain PHI.

Tickets that do not typically contain PHI:

• Password reset requests for staff accounts (employee name + access issue)
• Hardware procurement and asset management tickets
• Software installation requests
• Network configuration changes
• Infrastructure incident tickets (server down, application latency)

Tickets that may contain PHI:

• EHR access issues that reference specific patient accounts or encounters (“the patient’s chart is inaccessible”)
• Data transfer or integration issues that reference patient records (“patient file export failed, patient ID [X]”)
• Audit or compliance requests that include patient-specific details
• Requests related to patient portal access problems
• Tickets that include screenshots of EHR screens showing patient data

The distinction is whether patient-specific information is present in the ticket itself. A ticket that says “EHR application is down” does not contain PHI. A ticket that says “Patient [Name], DOB [date], cannot access their records through the portal” contains PHI.

If the ServiceNow environment receives tickets that routinely contain patient information, a BAA is required.

Healthcare Modules and Patient-Facing Applications

ServiceNow offers healthcare-specific applications beyond standard ITSM:

Safe Workplace and Health and Safety modules: Built for COVID-era employee health screening and vaccination tracking, these modules may contain employee health information. Employee health records have different HIPAA treatment than patient records, though the line blurs in self-insured health plan contexts.

Healthcare and Life Sciences modules: ServiceNow’s healthcare-specific applications cover patient access management, clinical operations support, and care team coordination. These handle clinical PHI and require a careful BAA assessment.

HR Service Delivery: HR cases involving medical accommodations, FMLA, or disability requests may contain employee health information. That is generally governed by ADA and FMLA privacy rules rather than HIPAA — unless the organization is a covered entity handling its own employees’ PHI in a hybrid context.

Now Intelligence and AI Features

ServiceNow’s Now Intelligence platform includes predictive intelligence, a virtual agent chatbot, natural language understanding, and generative AI features.

If these process ticket content that contains PHI, confirm they are covered under your HIPAA BAA, whether ServiceNow uses ticket content for model training, and where AI-processed content is stored.

Verify this at implementation time. ServiceNow’s AI product changes, and what was true at contract signing may not match current feature behavior.

Configuration for HIPAA-Compliant Use

Access control: ServiceNow’s access control lists (ACLs) govern who can view, edit, and manage records in each table and application. Configure ACLs to limit PHI-containing records to staff with legitimate need.

Field-level security: ServiceNow allows field-level access controls that restrict which users see specific data fields within a record. If tickets contain PHI in description, notes, or attachment fields, configure field-level controls to limit visibility.

Audit logging: ServiceNow maintains audit logs of record access and modifications. Ensure audit logging is enabled and retained appropriately for PHI-containing records.

Attachment controls: Tickets may include attachments: screenshots, exported files, documents. Apply the same access restrictions to attachments as to the ticket itself.

Practical Guidance for Healthcare Organizations

For small clinics: ServiceNow is not the right tool. The implementation complexity, enterprise pricing, and platform scope are built for organizations ten times the size of a typical small clinic. A lightweight ticketing tool or compliance-focused task management platform is more appropriate.

For health systems and hospital IT departments using ServiceNow:

1. Audit actual ticket content to determine whether PHI is present in ITSM workflows
2. Confirm ServiceNow BAA covers the specific modules in use
3. Configure ACLs and field-level security before PHI-containing workflows go live
4. Assess Now Intelligence and AI features under HIPAA BAA terms
5. Establish ticket entry standards: instruct staff not to include patient-specific information in ITSM tickets when a patient identifier is not necessary to resolve the issue

The minimum necessary standard (45 CFR § 164.502(b)) applies in ITSM as much as anywhere else. If a ticket can be resolved without patient names or identifiers, those identifiers should not be in the ticket.