Is ServiceNow HIPAA compliant?
Signs a BAAPHI with conditionsSOC 2 Type II
Will ServiceNow sign a HIPAA BAA?
Yes — ServiceNow will sign a HIPAA Business Associate Agreement (BAA).
ServiceNow will enter into a HIPAA Business Associate Agreement (BAA) with covered-entity customers who store ePHI in their instance, and publishes a dedicated 'ServiceNow Security and HIPAA' controls document. That document states the customer 'is the controller of customer data ... and retains the primary responsibility for ensuring compliance with its HIPAA obligations, whereas ServiceNow is merely the data processor.' Safeguarding ePHI is a shared responsibility: customers remain responsible for configuration, data classification, access management, and operational monitoring.
PHI eligibility
ePHI can be stored in a ServiceNow instance only under a signed BAA and with the customer correctly configuring controls; scope is governed by ServiceNow's HIPAA controls documentation.
SOC 2
SOC 2 Type II
Trust center
Sub-processors
—
Notes
BAA scope is limited to ServiceNow's data-processor role; the customer owns HIPAA configuration and monitoring.
Get notified when this changes
We track ServiceNow's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.
How to request and sign a BAA with ServiceNow
Yes — ServiceNow will sign a HIPAA Business Associate Agreement (BAA).
Request routeBy request — via trust center or support
- 1Confirm your account is coveredServiceNow will enter into a HIPAA Business Associate Agreement (BAA) with covered-entity customers who store ePHI in their instance, and publishes a dedicated 'ServiceNow Security and HIPAA' controls document. That document states the customer 'is the controller of customer data ... and retains the primary responsibility for ensuring compliance with its HIPAA obligations, whereas ServiceNow is merely the data processor.' Safeguarding ePHI is a shared responsibility: customers remain responsible for configuration, data classification, access management, and operational monitoring.
- 2Request the Business Associate AgreementServiceNow provides the BAA on request. Open a request through ServiceNow's trust center and ask for the current Business Associate Agreement covering your plan.
- 3Confirm what PHI is allowed before you store anyePHI can be stored in a ServiceNow instance only under a signed BAA and with the customer correctly configuring controls; scope is governed by ServiceNow's HIPAA controls documentation. Match your configuration to this scope before putting protected health information into ServiceNow.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with ServiceNow before you rely on it. This is cited public information, not legal advice.
Frequently asked questions
Does ServiceNow sign a HIPAA Business Associate Agreement (BAA)?
Yes — ServiceNow will sign a HIPAA Business Associate Agreement (BAA). ServiceNow will enter into a HIPAA Business Associate Agreement (BAA) with covered-entity customers who store ePHI in their instance, and publishes a dedicated 'ServiceNow Security and HIPAA' controls document. That document states the customer 'is the controller of customer data ... and retains the primary responsibility for ensuring compliance with its HIPAA obligations, whereas ServiceNow is merely the data processor.' Safeguarding ePHI is a shared responsibility: customers remain responsible for configuration, data classification, access management, and operational monitoring.
Is ServiceNow HIPAA compliant?
ServiceNow can be used in a HIPAA-compliant way: it signs a Business Associate Agreement (BAA), which HIPAA requires before you process PHI with a vendor. ePHI can be stored in a ServiceNow instance only under a signed BAA and with the customer correctly configuring controls; scope is governed by ServiceNow's HIPAA controls documentation.
Can you store PHI (protected health information) in ServiceNow?
ePHI can be stored in a ServiceNow instance only under a signed BAA and with the customer correctly configuring controls; scope is governed by ServiceNow's HIPAA controls documentation.
Is ServiceNow SOC 2 certified?
ServiceNow reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from ServiceNow?
ServiceNow provides the BAA on request. Open a request through ServiceNow's trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with ServiceNow before storing PHI.
What plan do I need to sign a BAA with ServiceNow?
ServiceNow will enter into a HIPAA Business Associate Agreement (BAA) with covered-entity customers who store ePHI in their instance, and publishes a dedicated 'ServiceNow Security and HIPAA' controls document. That document states the customer 'is the controller of customer data ... and retains the primary responsibility for ensuring compliance with its HIPAA obligations, whereas ServiceNow is merely the data processor.' Safeguarding ePHI is a shared responsibility: customers remain responsible for configuration, data classification, access management, and operational monitoring.
Sources
https://blogs.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/other-document/servicenow-hipaa-security-controls.pdf
https://www.servicenow.com/company/trust.html
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with ServiceNow before processing protected health information.
Check another vendor
See all HIPAA compliant customer support & help desk software →
Browse all 105 vendors by category →