| Requirement | Explanation |
| Disable external access to your Sage Intacct tenant | Part of HIPAA compliance is being able to distinguish who had access to protected health information and when. To meet this requirement, you must not authorize (or, if you have authorized, you must disable) external access to your Sage Intacct tenant by Sage Intacct support staff. If you have a relationship with a Sage Intacct VAR partner and have enabled their access to your Sage Intacct tenant, it must be via named slide-in. You must verify this setting with your Sage Intacct VAR partner. |
| Do not include or store protected health information in places other than the contact, vendor and customer objects | Tracking access to protected health information is one of the HIPAA requirements. The Advanced Audit Trail enables compliance with this requirement by tracking access to personal information in standard fields in the contact, vendor, and customer objects. Access to information outside of these objects is not tracked. Therefore, you must include protected health information only in the contact, vendor, and customer objects and not in other places, such as custom fields, employee records, or attachments. |
| Do not include protected health information in support requests |
You may not send or share protected health information to Sage Intacct customer support through a support request or some other method, such as an email attachment, or in the Community or any other support forums. If you need help from Sage Intacct support with a contact, vendor, or customer record that contains protected health information, then use generic terms in your initial support request and state your HIPAA compliance requirements. |
| Do not store protected health information in a sandbox company |
You may not include protected health information in sandbox environments. If you need to use a sandbox environment, prior to migrating your data to it you must contact Sage Intacct to anonymize all protected health information using the Personal Data Management Service. Once you have access to the sandbox environment, do not store or use any protected health information in it. Instead, use the anonymized records for your testing purposes, or create records that do not represent real protected health information. |
| Sage Intacct VAR partners cannot make copies of your company for you | The Advanced Audit Trail does not merge the Advanced Audit History report, which is designed to track access to protected health information, across copy companies and the original company. For this reason, your Sage Intacct VAR partner cannot make copies of your company. |
| Do not budget by the vendor or customer dimensions in Sage Intacct Budgeting and Planning |
Sage Intacct Budgeting and Planning is a separate Sage Intacct module that is not supported by Advanced Audit Trail and does not track access to protected health information. For this reason, you should not create budgets against the vendor or customer dimensions in Sage Intacct Budgeting and Planning. |
| Do not use the Interactive Custom Report Writer and the Interactive Visual Explorer with PHI data sources |
Currently, access to protected health information used in the Interactive Custom Report Writer and the Interactive Visual Explorer is not tracked by Advanced Audit Trail. |
• American Express Vendor Payment Services
• Authorize.net Payment Services
• Avatax
• Corporate Spending Innovation (CSI) Vendor Payments
• Paypal Payment Services
• Salesforce
• TaxBandits
• Wells Fargo Payment Manager
• Applications available on the Sage Intacct Marketplace
• Services delivered through the Sage Intacct System Integration Group