Articles in this section

Configure ActivTrak for HIPAA Compliance

ActivTrak Product Team
published
updated

Important: This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer. We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with HIPAA requirements.

Contents

What is the Health Information Portability and Accountability Act (HIPAA)?

HIPAA (Health Information Portability and Accountability Act) is a federal law in the United States that gives individuals rights over their sensitive health information. It also requires organizations to adhere to rules and limits on who can access and receive health information without a patient’s consent or knowledge.

As more confidential information is becoming digital and accessible, data breaches become more common and more threatening. To help protect against fraud and abuse involving protected health information, HIPAA policies were established to require a baseline of security and integrity.

HIPAA’s security rules are enforced through regulatory audits that help identify holes in an organization’s security. These violations can lead to severe consequences and potential criminal charges due to the negligence of facilities, managers, and employees. Additionally, an organization may need to notify the media about the breach.

HIPAA compliance & ActivTrak

ActivTrak respects data privacy laws in our data-driven approach to analyzing productivity. Our commitment to data privacy and security ensures businesses are HIPAA-compliant while achieving business productivity goals. 

In this article, we outline compliance recommendations and specific account configuration steps you can take to ensure your use of ActivTrak complies with HIPAA regulations.

Configuring your ActivTrak account for HIPAA Compliance

The table below provides a high-level overview of individual HIPAA requirements, as well as specific steps your organization can take to ensure its processes and procedures related to ActivTrak usage are compliant.

Requirement Recommended Actions ActivTrak Capabilities
Limit the use and sharing of protected health information Reasonably limit the use and sharing of protected health information or electronic Personal Health Information (ePHI) to the minimum necessary to accomplish your intended purpose.

If you have a Legacy Advanced or Premium subscription, enable ActivTrak’s Privacy Controls to prevent capturing a patient’s ePHI (e.g., names, email, SSN, and more). Learn more

 

If you have an Essentials or Professional subscription, your plan supports HIPAA compliance out of the box. To avoid capturing ePHI, do NOT purchase the Screen Details (Add-on).

Put safeguards in place to protect patient health information Use systems and applications that comply with security industry standards like ActivTrak.

The ActivTrak SaaS application is designed with a privacy-first approach in mind, and uncompromising security to ensure the confidentiality and integrity of all collected and analyzed data.

 

ActivTrak is SOC 2 Type 2 certified and uses a number of security industry standards:

  • Encrypted connection protocols including HTTPS and SSL/TLS.
  • Communication between ActivTrak cloud and the Agent uses HTTPS/TLS with AES-128 encryption.
  • Mutual authentication is provided by a combination of a digital certificate and a per-instance shared key, which is created during deployment.

ActivTrak applies end-to-end data encryption, including on user devices, in transit and in storage. Data within the cloud is stored using AES-256 encryption. Learn more

Limit who can access patient health information Establish procedures to limit who can access patient health information, provide training on how to protect patient health information, and educate service providers about associated penalties.

ActivTrak supports the following access control capabilities:

  • Single sign-on (SSO) and Multi-factor authentication (MFA). When SSO and/or MFA are enabled, we delegate the user authentication process to identity providers that support the Security Assertion Markup Language (SAML) 2.0 standard. We have certified SSO for most identity providers like Okta, Azure AD, OneLogin, and Google Suite, among others. Learn more
  • Administrators can configure granular role-based access controls to limit access to data. Learn more
  • Use strong password policies.
Have agreements in place with service providers that perform covered functions These agreements, called Business Associate Agreements (BAAs), ensure that service providers (Business Associates) use, safeguard and disclose patient information properly. Not applicable to ActivTrak.

Preparing for audits

ActivTrak has resources you can leverage in the event of a data privacy compliance audit. They include:

  • Data Retention and History: As an extra level of protection, our system does not retain data beyond an account’s set limits. Admins can also restrict date filters for user roles. Learn more here.
  • Security Alarms: Alarms can be configured to alert you in real time to potential data privacy or security risks, such as when users export data, change access levels, and more. Learn more here.
  • Security Audit Log: Our Security Audit Log provides a detailed record of changes or logins made to the account. Learn more here.
  • Data Integrity Verification: Cryptographic signatures verify that activity data has not been modified in transit from agent to backend, addressing HIPAA Security Rule 164.312(e)(2)(i) integrity controls. Tamper detection provides audit trails for unauthorized modification attempts. Learn more about our security measures here.

Learn more

Data privacy & compliance

Best practices & support

Was this article helpful?
2 out of 2 found this helpful