How to Configure ActivTrak for HIPAA Compliance

NOTE: This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer. We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with CCPA requirements.

What is HIPAA?

HIPAA (Health Information Portability and Accountability Act) is a federal law in the United States that gives individuals rights over their sensitive health information. It also requires organizations to adhere to rules and limits on who can access and receive health information without a patient’s consent or knowledge. 

As more confidential information is becoming digital and accessible, data breaches become more common and more threatening. In order to help protect against protected health information fraud and abuse, HIPAA policies were created to require a baseline of security integrity. 

HIPAA’s security rules are enforced through regulatory audits that help identify holes in an organization’s security. These violations can lead to severe consequences and potential criminal charges due to negligent facilities, managers and employees. In addition, an organization may have to announce the breach to the media.

Ensuring Compliance with HIPAA while using ActivTrak

ActivTrak respects data privacy laws in our data-driven approach to analyzing productivity. Our commitment to data privacy and security ensures businesses are HIPAA-compliant while achieving business productivity goals. 

In this article, we outline compliance recommendations and specific account configuration steps you can take to ensure your use of ActivTrak complies with HIPAA regulations.

Configuring Your ActivTrak Account for HIPAA Compliance 

The table below provides a high-level overview of individual HIPAA requirements as well as specific steps your organization can take to ensure your processes and procedures related to your ActivTrak usage are compliant. 

HIPAA Requirement

Recommended Actions

ActivTrak Capabilities

Limit the use and sharing of protected health information

Reasonably limit the use and sharing of protected health information or electronic Personal Health Information (ePHI) to the minimum necessary to accomplish your intended purpose.

Enable ActivTrak’s Privacy Controls to prevent capturing a patient’s ePHI (e.g. names, email, SSN, and more). Learn more→

Put safeguards in place to protect patient health information

Use systems and applications that comply with security industry standards like ActivTrak.

The ActivTrak SaaS application is designed with a privacy-first approach in mind, and uncompromising security to ensure the confidentiality and integrity of all collected and analyzed data.

 

ActivTrak is SOC 2 Type 2 certified and uses a number of security industry standards:

  • Encrypted connection protocols including HTTPS and SSL/TLS. 
  • Communication between ActivTrak cloud and the Agent uses HTTPS/TLS with AES-128 encryption.
  • Mutual authentication is provided by a combination of a digital certificate and a per-instance shared key, which is created during deployment.

Data stored within the cloud is stored using AES-256 encryption. Learn more→ 

Limit who can access patient health information

Put in place procedures to limit who can access patient health information, provide training on how to protect patient health information, and educate service providers about associated penalties.

ActivTrak supports the following access control capabilities:

  • Single sign-on (SSO) and Multi-factor authentication (MFA). When SSO and/or MFA are enabled, we delegate the user authentication process to identity providers that support the Security Assertion Markup Language (SAML) 2.0 standard. We have certified SSO for most identity providers like Okta, Azure AD, OneLogin, and Google Suite, among others. Learn more→
  • Administrators can configure granular role-based access controls to limit access to data. Learn more→
  • Use strong password policies.

Have agreements in place with service providers that perform covered functions 

These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.

Not applicable to ActivTrak.

Being Prepared for Audits

ActivTrak has resources you can leverage in the event of a data privacy compliance audit. They include:

  • Data Retention and History: As an extra level of protection, our system does not retain data beyond an account’s set limits. Admins can also restrict date filters for user roles. Learn more here.
  • Security Alarms: Alarms can be configured to alert you in real-time of any potential data privacy or security risks such as when users export data, change access levels and more. Learn more here.
  • Security Audit Log: Our Security Audit Log provides a detailed record of changes or logins made to the account. Learn more here.

Additional Resources

Data Privacy & Compliance

Best Practices & Support

 

Was this article helpful?

0 out of 0 found this helpful

Comments

No comments