Advanced Audit Trail and HIPAA compliance
Related topicsWhen you subscribe to Advanced Audit Trail, you can track access to personal data stored in contact, customer, and supplier records to comply with HIPAA.
This feature may impact your contract with Sage Intacct, so you cannot subscribe or unsubscribe to Advanced Audit Trail on your own. Instead, call your account manager to manage your subscription to Advanced Audit Trail.
HIPAA compliance
Advanced Audit Trail was designed to be a HIPAA solution for healthcare companies. We've taken the time to understand where patient data is stored and how best to track access to it, without impacting the overall performance of Sage Intacct.
See Advanced Audit Trail overview for more detailed information about how Advanced Audit Trail works and what information it tracks, including exceptions. There are also additional requirements for companies who wish to ensure HIPAA compliance, as listed below.
Additional requirements
In addition to subscribing to Advanced Audit Trail, your company also needs to adhere to the following requirements to ensure HIPAA compliance.
| Requirement | Explanation |
|---|---|
| Disable external access to your Sage Intacct tenant. |
Part of HIPAA compliance is being able to distinguish who had access to protected health information and when. To meet this requirement, you must not authorize external access to your Sage Intacct tenant by Sage Intacct support staff. If you have already authorized external access, you must disable it. Furthermore, if you have a relationship with a Sage Intacct VAR partner and have enabled their access to your Sage Intacct tenant, it must be via named slide-in. You must verify this setting with your Sage Intacct VAR partner. |
| Cannot include or store protected health information in places other than the contact, supplier, and customer objects. | Tracking access to protected health information is one of the HIPAA requirements. The Advanced Audit Trail enables compliance with this requirement by tracking access to personal information in the contact, supplier, and customer objects. Access to information outside of these objects is not tracked. Therefore, if you plan to use Advanced Audit Trail for HIPAA compliance, you must include protected health information only in the contact, supplier, and customer objects and not in other places, such as custom fields, employee records, or attachments. |
| Cannot send or share protected health information stored in your Sage Intacct instance outside of the Sage Intacct system. |
Once protected health information is entered into Sage Intacct, it's our job to track access to this data. However, after protected health information leaves the Sage Intacct system, we cannot track who accessed it and when. Therefore, you cannot send or share protected health information to Sage Intacct customer support through a support request or some other method, such as an email attachment. Furthermore, you also cannot share protected health information in the Community or any other support forums. If you need help from Sage Intacct support with a contact, supplier, or customer record that contains protected health information, then use generic terms in your support request and state your HIPAA compliance requirements. For instance, you might send the following message in support request: I'm a HIPAA-compliant customer with a contact record that is not working.
After you are assigned a support specialist and the proper access documentation has been created, then you can use more specific terms to troubleshoot your problems. |
| Cannot store protected health information in a sandbox company. |
A sandbox company is simply a copy of your company. At this time, the Advanced Audit Trail doesn't merge the Advanced Audit History report, which is designed to track access to protected health information, across copy companies and the original company. For this reason, sandbox companies are not supported for the purposes of HIPAA compliance. However, we understand your need to test new integrations, applications, and configurations in sandbox companies to take advantage of new features and improve your Sage Intacct experience. Because of these complex needs, we have established a process to satisfy both the requirements for HIPAA compliance as well as the need to test in sandbox companies:
|
| If you have a relationship with a Sage Intacct VAR partner, they cannot make copies of your company for you. | At this time, Advanced Audit Trail doesn't merge the Advanced Audit History report, which is designed to track access to protected health information, across copy companies and the original company. For this reason, your Sage Intacct VAR partner cannot make copies of your company. |
| If using Sage Intacct Planning, you cannot budget by the supplier or customer dimensions. |
Sage Intacct Planning is a separate Sage Intacct module that is not supported by Advanced Audit Trail and does not track access to protected health information. For this reason, you cannot create budgets against the supplier or customer dimensions in Sage Intacct Planning so that protected health information is not exchanged and available to the Sage Intacct Planning system. |
Sign a Business Associate Agreement (BAA)
If your company has HIPAA compliance requirements and has both read Advanced Audit Trail overview and adhered to the requirements above, your company may enter into Sage Intacct's Business Associate Agreement. Contact your account manager for more details.
What do I do if my company has a data breach?
Run the Advanced Audit History report and Audit History report to analyze access to your system. If you need additional help, contact your account manager.
