HIPAA Compliance and Security Features



The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to protect the privacy and security of patients’ sensitive health information. TrueContext offers configuration options to help covered entities meet their HIPAA compliance requirements. TrueContext undergoes an annual SOC 2 and HIPAA Security Rule audit by a third-party to attest to the suitability of the design and operating effectiveness of our controls relevant to security, availability, and confidentiality.

Recommendations and best practices

TrueContext helps support your HIPAA compliance, but using the TrueContext service does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of TrueContext services aligns with HIPAA and the HITECH Act. The following sections provide recommendations and best practices for configuring TrueContext to maintain HIPAA compliance.

Implement robust internal controls

Implement robust internal controls regarding general TrueContext system access and system usage.

What TrueContext Does Recommendation Useful Links and Notes
TrueContext provides the ability to configure a password policy or enable single sign-on (SSO) using SAML 2.0 and a number of common identity providers. Configure your password policy or authentication scheme to comply with HIPAA requirements.

Configure a Password Policy

Setting up SSO

Logging in with SSO

User accounts will be locked automatically after five failed login attempts, which prevents the user from logging in, accessing, completing, or sending forms. No action required.

User Account Lockout

TrueContext provides the ability to configure a maximum session length, after which users will be forced to reauthenticate. Configure the maximum session length per your organization’s policies and HIPAA requirements. Session Length
TrueContext offers three different user roles (Mobile-only User, User, and Admin). We also provide the ability for your organization to assign users to groups that have permissions to view selected forms or FormSpaces.
  1. Assign users to the appropriate role required for their job function.
  2. Configure groups to allow users access to specific forms or FormSpaces.

Note:User accounts are intended for use by employees of covered entities; they should not be provided to patients who have rights under HIPAA. Customer Feedback FormsClosed Customer Feedback Forms are browser-based, can be used on any platform, and are available to customers and third parties by means of a URL link. They don’t require an app download or a user login. may be used to collect PHI; however, patients who have rights under HIPAA should not be permitted to complete the form using their own mobile devices.

User Roles

Managing Groups

FormSpace Permissions

Remove user accounts

Remove user accounts for users who have been terminated.

What TrueContext Does Recommendation Useful Links and Notes
TrueContext provides the ability for customers to configure user permissions and remove users. Manage and delete user accounts based on your organization’s policies. User PermissionsManaging Users

Protect data during transmission

Protect data being transmitted to and from the TrueContext system.

What TrueContext Does Recommendation Useful Links and Notes

Data within the TrueContext system is encrypted in transit and at rest. Data transmitted between mobile applications uses TLS 1.2 or higher encryption. Data stored on our servers is protected using AED-256 encryption. Data stored on mobile devices is protected using native encryption provided that a passcode is enforced.

  1. Ensure that data sent to and from the TrueContext system (via Data SourcesClosed Data sources, also known as "Lookups", are external sources of data that you upload or connect to TrueContext. You can reference this data in a form to populate answers or answer options. Data sources save typing, reduce errors, and make it easy to provide mobile users with only the relevant, most current data. and Data DestinationsClosed A Data Destination specifies where to send data from a submitted form. You can use Data Destinations to automate data sharing and storage, routing data to a specific service (such as email or cloud storage) in several different formats.) is adequately protected outside of TrueContext.
  2. Enforce a passcode on your organization’s devices.
Enforce a Passcode
TrueContext servers are hosted by AWS and located in the United States. When Data Passthrough is enabled, no submitted form data will be saved in the TrueContext system – only a record of where the data went. Enabling this feature may limit TrueContext Support in their ability to assist you.
  1. If desired, enable Data Passthrough for forms that contain sensitive information.
  2. If using shared devices, consider enabling In Memory Forms.

Data Passthrough

In-Memory Forms

With the recommended Form Settings configured, images captured in the Mobile App are not saved to the user's camera roll. All images and signatures are deleted from the device once the form is successfully submitted and processed. Make sure the option to save images on devices is not enabled. Image Options
TrueContext provides the ability to customize how long completed form submissions are stored in the Sent box on mobile devices.

When configuring your forms, enter “0” to disable the storage of form submissions in the Sent box.

This ensures that no part of the form remains stored on the device.

Sent Box Options
TrueContext provides the opportunity to configure Data Destinations if desired.

Bear in mind your compliance requirements when configuring Data Destinations. Include only the destinations that are needed and ensure that your destinations have adequate safeguards in place to meet your compliance needs. Using email destinations is generally not recommended.

Perform an assessment of the security controls of the cloud storage provider or content management service for its suitability for use in healthcare. Cloud storage services should only be used if a business associate agreement is entered into with the service provider.

Note:A cloud service that claims to support your HIPAA compliance can be used in a manner that violates HIPAA rules, as HIPAA compliance depends on the people that use the product or service rather than the product or service itself.

Creating and Managing Data Destinations

Note:TrueContext is not responsible for the security practices of third-party organizations who provide Data Destinations. You must verify that a Data DestinationClosed A Data Destination specifies where to send data from a submitted form. You can use Data Destinations to automate data sharing and storage, routing data to a specific service (such as email or cloud storage) in several different formats. meets your compliance requirements before you configure the destination.

If you have HIPAA compliance requirements, you should not use Email or SMS Data Destinations.

Implement a business continuity and disaster recovery plan

What TrueContext Does Recommendation Useful Links and Notes
TrueContext maintains an SLA of 99.5% uptime. We back-up your data to our disaster recovery region daily and simulate disaster recovery quarterly. Implement your own Business Continuity and Disaster Recovery plan for other aspects of your business. Subscribe to TrueContext Status page updates. Status page

Considerations for Covered Entities

Business Associate Agreements (BAAs) are mandated by the HIPAA Security Rule. BAAs consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. That can include relationships between a Covered Entity and a Business Associate, as well as relationships between two Business Associates.

For more information on putting a Business Associate Agreement in place with TrueContext, please contact infosec@truecontext.com.

A screenshot of text

Description automatically generated

For more information, refer to the following topics: