Meeting Healthcare Privacy Regulations for Accounting Data
Discover how Sage Intacct enables compliance with HIPAA reporting and security requirements regarding personal information collected in your ERP. Healthcare organizations have added regulatory obligations concerning the electronic storage and safekeeping of data obtained from patients, as well as for other files that could expose their protected information if compromised or leaked. Leveraging a modern cloud accounting and business management system will help to mitigate these risks by securing your stored sensitive data with state-of-the-art controls and best practices.
Continue reading below to learn more about Sage Intacct’s HIPAA compliance capabilities:
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, also known as the Kennedy–Kassebaum Act, was enacted by the U.S. Congress and the Department of Health and Human Services (HHS) with the aim to strengthen security for electronic healthcare transactions, among many other amendments. Under Title II of HIPAA, those who collect Protected Health Information (PHI) are obligated to secure and prevent the privacy of their patients, clients, partners, etc. from being compromised. This includes all medical records and transaction details such as patient refunds, and applies to all healthcare services and health insurance providers as well as to all systems where those files are stored (such as your ERP and accounting software).
PHI vs PII – Personal Information Security
PHI is a form of personally identifiable information (PII), meaning that it reveals personal – and potentially sensitive – details of the individual it belongs to and if exposed could violate their privacy. Protected Health Information is different from other types of PII, however, in that it can reveal specific personal health descriptions as well as other exploitable data such as birth dates and addresses.
HIPAA Compliance for Accounting and Financial Data
With the passage of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in 2009, all “covered entities” under HIPAA are further obliged to guarantee the protection and privacy of all electronically stored PHI. Examples include records of payments for medical services, patient refund details, and financial aid data linked to individual health records. Non-compliance risks extend to any system handling ePHI (electronic PHI), including cloud-based accounting platforms like Sage Intacct.
Penalties for Non-Compliance
HIPAA violations carry significant penalties, categorized into four tiers based on the level of negligence:
- Tier 1: Unknowing violation; $100 to $50,000 per violation, capped at $25,000 per year.
- Tier 2: Reasonable cause but not willful neglect; $1,000 to $50,000 per violation, capped at $100,000 per year.
- Tier 3: Willful neglect, but corrected within 30 days; $10,000 to $50,000 per violation, capped at $250,000 per year.
- Tier 4: Willful neglect and not corrected; $50,000 per violation, capped at $1.5 million per year
Criminal penalties can be applied for wrongful disclosures of PHI, leading to fines of up to $250,000 and potential imprisonment for up to 10 years for offenses committed under false pretenses.
Sage Intacct and HIPAA Compliance
Maintaining HIPAA compliance with your ERP and accounting software is not just an advantage, but a requirement due to the collection of electronic data that will inevitably include Protected Health Information and other PII. To help your business abide by these regulations and avoid non-compliance penalties, Sage Intacct offers several capabilities that allow your team to secure all collected data locally, ensure transparency and traceback visibility for every change and transaction, and maintain data integrity across connected databases. Healthcare providers and partners can leverage both the built-in functionality and back-end security protocols enforced by Sage to ensure financial reporting and record-keeping remains compliant at multiple stages.
Here is a quick breakdown of the different compliance-enablement capabilities available with this accounting software:
Financial Data Encryption
There are multiple levels of database protection and security protocols applied to Sage Intacct’s data centers, as well as locally-applied cybersecurity controls available for users. Sage maintains strict and redundant integrity layers for data stored in hosted servers, including multiple encryption methods.
These security controls include:
- Automated daily backups with encrypted off-site storage
- Data encryption at rest using industry-standard algorithms
- SSL/TLS encryption for all data in transit
- Database-level encryption for sensitive data columns
User Access Controls
There are several options for tailoring and enforcing user permissions in Sage Intacct, with admins being able to adjust access based on roles and quickly switch off inactive licenses.
Other access control features include:
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) login requirements
- IP address filtering for login attempt control
- Session timeout rules for automatic logouts
Medical Record-keeping and Reporting
Features like the Advanced Audit Trail provide extensive traceback functionality, logging every access and modification of records containing PHI, such as who accessed data, when, and through what means.
Other record-keeping capabilities include:
- Secure storage of PHI only in contact, vendor, and customer objects
- Automated checks for required fields and data validation
- Customizable approval workflows for transaction processing
- Comprehensive audit trails for all record modifications
Integration and Unified Databases
As a cloud ERP, Sage Intacct comes with an open API that allows for seamless integration with connected applications, including electronic medical records (EMR) systems. Local and database security controls can be applied when integrated and data is transmitted, such as encryption
Other integration security features include:
- Standardized integration protocols for third-party applications
- Secure EMR systems and data integration
- Revenue Cycle Management (RCM) integration support
- Comprehensive audit trails for all data exchanges
BAA and Cloud Security Enforcement
For healthcare businesses, Sage Intacct includes a Business Associate Agreement (BAA) with its subscription – a contract between a HIPAA-covered entity and a business associate, such as Sage, that specifies each party’s responsibilities regarding PHI. The BAA outlines specific measures for data protection, breach notification procedures, and requirements for returning or destroying PHI after the agreement ends.
Some of the security enforcement measures taken by Sage include:
- Specific PHI storage and handling requirements specified in BAA
- Regular third-party security audits and certifications
- Dedicated security team for monitoring and incident response
- ERP hosted only in state-of-the-art data centers with strict physical access controls
- Regular testing on backup devices and procedures
Additional End-to-End Cybersecurity Controls in Sage Intacct
Sage Intacct is armed with various other cybersecurity controls and automations on both ends, from local administrative features to protocols enforced by Sage at the data center level.
Here are some of the other noteworthy cyber defense measures available:
- Compliance with multiple security standards including SOC 1/2
- Real-time alerts and notifications
- Custom report creation for audit purposes
- AI-powered pattern detection and anomaly alerts
- Regular security log reviews
See How Sage Intacct Supports Compliance with SWK Technologies
SWK Technologies is a trusted Diamond partner of Sage with extensive experience in implementing and optimizing Sage Intacct for businesses across multiple industries. As a Sage Certified Development Partner and Strategic Hosting Provider, SWK is also committed to delivering tailored solutions that address your specific needs, including compliance with standards like HIPAA.
Contact SWK here to explore more of Sage Intacct’s security features and learn how this cloud-based ERP can help support your organization’s compliance requirements.