Compliance information for VCF for Classic - Automated

HIPAA

Notwithstanding information in the data sheet for this Cloud Service regarding the Health Information Portability and Accountability Act of 1996 ("HIPAA") and the permitted use of Health Information and Health data as Types of Personal Data and Special Categories of Personal Data (collectively, "Health Data") with this Cloud Service, use of Health Data with this Cloud Service is subject to the following limitations and conditions:

vCenter Server

Only the offerings that are previously listed can be provisioned to implement the HIPAA Privacy and Security Rule controls for use with Health Data if Client notifies IBM in advance that Client will use Health Data with the Cloud Service and IBM confirms in writing that the Cloud Service will be provisioned for Health Data usage. The Cloud Service cannot be used for the transmission, storage, or other usage of any Health Data protected under HIPAA unless (i) Client provides IBM such notification; (ii) IBM and Client have entered into an applicable Business Associate Agreement; and (iii) IBM provides Client with express- written confirmation that the Cloud Service can be used with Health Data. In no event, shall the Cloud Service be used for processing PHI as a healthcare clearinghouse within the meaning of HIPAA.

If a system failure occurs, a third-party service provider might request debugging artifacts from the client (logs, core memory dumps). It is the client’s sole responsibility to gather and transmit these artifacts to the third-party provider. The IBM Support team might assist by providing links to documentation or providing direction through screen sharing sessions. However, the client is responsible for cleansing the data of any PHI and ensuring that it is properly encrypted before it is transmitted. It is also the client’s responsibility to evaluate whether they require a BAA to be executed with the third-party provider before data is sent.

Proactive support for initial provisioning

• During the initial ordering and provisioning of an instance or service, IBM Support might access client instances and information without prior notification of the client to ensure that orders are properly fulfilled.
• IBM Support actively monitors instance lifecycle operations such as adding new hosts, in addition to the ordering, provisioning, and installation processes.
• To fix issues that arise or might arise in the future, IBM Support might take a number of actions. These actions include, but are not limited to, reviewing client order details, restarting automation jobs, performing operating system reload operations, or opening IBM Cloud tickets by using the provided client IBM Cloud user ID and API key.

Proactive support for steady-state operations

• On rare occasions, IBM Support might require access to client instances during steady-state operations to proactively troubleshoot an instance issue or to verify function of provisioned services or components.
• This access is through the IBM Cloud internal support network. At no time will IBM Support modify instance configuration without prior consent from the client.
• Access is to the VMware management components and to the IBM Cloud management components and never to the client's virtual machines or applications.

Support tickets

• vCenter Server environments are not actively monitored by IBM, and IBM Support does not enter the VMware management layer under normal operations without a client–written support ticket.
• When a client opens a support ticket for an instance, service, or provisioning issue, the ticket is quickly assigned to the appropriate IBM Support team, who is the primary party responsible for resolving the issue.
• Due to the level of specialization that is required to maintain superior technical expertise at the team level, it is sometimes necessary to involve more than one support team in resolving a particular software problem. This is easily handled, as our support teams are all networked together and work as one to resolve whatever problems or issues arise.
• To investigate the issue, IBM might need to access information on your system relative to the failure or might need to re-create the failure to get more information.
• A client–generated support ticket serves as acknowledgment that IBM Support can access the VMware management layer for investigation, debugging, and triage. If maintenance outage or changes to the environment are required, IBM Support requests extra-documented confirmation from the client through tickets as part of our change management process.
• For more information about support tickets, see the IBM Support Guide and follow the steps in Getting help and support.

Communication and troubleshooting

• IBM does not warrant that our products are defect free, however we do endeavor to fix them to work as designed. Clients play a large role in this effort.
• While IBM Support is available to provide assistance throughout the lifecycle of the product, support might be limited by the information and access provided by the client.
• The client is responsible for providing in–depth documentation at the time of a failure and responding timely to IBM Support when further clarification is needed.
• Clients are also responsible for following the guidelines in this document to grant consent to proactive support.
• By declining consent or failing to abide by the guidelines provided, the client assumes the responsibility of possible lag in problem resolution that is caused by communication delays between the client and support team.
• The client must be prepared to perform more technical troubleshooting that would otherwise be done by IBM Support. IBM provides appropriate documentation and assistance where necessary.

Security measures

• Management of Cloud Service - Client is responsible for managing administration, operation, maintenance, and security of the applications, including underlying middleware.
• Service Integrity and Availability - IBM forwards to the Client all network intrusion notifications detected for this Cloud Service. It is the Client’s responsibility to ascertain the impact of each notification that is reported. Client is notified of hardware failures. Monitoring and responding to OS or software failures is the responsibility of the Client, engaging IBM Support as required.
• Activity Logging - Client is responsible for activity logging of OS/System and Database/Applications, as needed.
• Encryption - Client is responsible for configuring and managing all encryption (for both data at rest and in transit), as needed.
• Business Continuity and Disaster Recovery - Client is responsible for configuring and managing all business continuity and disaster recovery processes, as needed.

Third-party services

• Third-party software or code is included or bundled with some of our IBM offerings. This code is included for your convenience but is not considered part of the IBM program.
• These non–IBM programs are licensed directly by their providers. Client agrees to use the non–IBM programs under the provider’s terms and conditions. These terms are provided in the IBM licensing agreement that accompanies the IBM offering at time of purchase.
• IBM does testing to ensure that the third-party products work with IBM programs and that they function correctly.
• IBM Support diagnoses client problems by using the knowledge of how our IBM offerings work with the third-party software. After it is concluded that the IBM program is working correctly, but the issue still exists, IBM must refer the client to the third-party vendor for further diagnosis.
• For more information about client responsibilities regarding third-party software or code, see the IBM Support Guide.