Security & Compliance

HIPAA Compliance at AraSync

AraSync is built from the ground up for HIPAA compliance. Every data flow, access control, and storage decision was made with PHI protection as a first principle.

🔒

AES-256 Encryption

All data encrypted at rest and in transit

📋

BAA Available

Business Associate Agreement executed with all customers

☁️

Azure Cloud

HIPAA-eligible Microsoft Azure infrastructure

🛡️

SOC 2 Ready

Controls aligned with SOC 2 Type II requirements

📊

Full Audit Trail

38,000+ audit events tracked with complete history

👤

Role-Based Access

Granular permissions by role, program, and patient

Our Role as a Business Associate

AraSync Health Systems operates as a Business Associate under HIPAA for all customers who are Covered Entities — including home care agencies, mental health providers, ARMHS agencies, PCA providers, and any other organization that creates, receives, maintains, or transmits Protected Health Information (PHI) in the course of providing services to patients.

Before processing any PHI, we execute a Business Associate Agreement (BAA) with each customer. The BAA defines our obligations for safeguarding PHI, the permitted uses and disclosures of PHI on your behalf, and our breach notification responsibilities. Contact [email protected] to request a BAA.

Technical Safeguards

Encryption

  • At rest: All PHI stored in AraSync's database and document storage is encrypted using AES-256, the same standard used by financial institutions and the U.S. government.
  • In transit: All data transmitted between your staff's devices and AraSync servers is encrypted using TLS 1.2 or higher. This includes mobile EVV check-ins, web sessions, and API calls.
  • Mobile devices: The AraSync mobile app does not cache unencrypted PHI on device. Data is stored temporarily during offline operation in an encrypted local store and synced to servers when connectivity is restored.

Access Controls

  • Unique user identifiers: Every staff member has a unique login. Shared credentials are not permitted and cannot be configured.
  • Role-based permissions: Access to patient records, clinical documentation, billing data, and reporting is controlled by role. Administrators configure which staff can view, edit, or approve each data type.
  • Automatic session timeout: Web and mobile sessions automatically time out after a configurable period of inactivity.
  • Biometric authentication: The mobile app supports Face ID and fingerprint authentication on supported devices, reducing credential exposure in the field.
  • Multi-factor authentication: Available for administrative accounts.

Audit Controls

  • Every access to, modification of, or deletion of PHI generates an immutable audit log entry.
  • Audit logs include user ID, timestamp, action type, record type, and IP address.
  • Logs are retained for a minimum of 6 years, consistent with HIPAA requirements.
  • Administrators can export audit reports in PDF and Excel format for regulatory review or internal investigation.
  • AraSync's compliance dashboard currently tracks 38,000+ audit events across active customer accounts.

Data Integrity

  • All clinical records include version history. Document edits are tracked with the prior version, editor identity, and timestamp preserved.
  • Auto-save runs every 30 seconds during documentation to prevent data loss.
  • Data validation is applied at input to prevent malformed records from entering the system.

Physical and Administrative Safeguards

Infrastructure

AraSync's production infrastructure runs on Microsoft Azure, which holds HIPAA eligibility designation and maintains its own extensive compliance certifications including SOC 1, SOC 2, ISO 27001, and FedRAMP. Azure's HIPAA-eligible services are covered under Microsoft's BAA with AraSync.

Data centers are physically secured with biometric access controls, 24/7 security monitoring, redundant power and cooling, and geographic redundancy for disaster recovery.

Workforce Training

All AraSync staff with access to customer PHI complete HIPAA training upon hire and annually thereafter. Training covers the Privacy Rule, Security Rule, and AraSync-specific policies and procedures for handling PHI.

Risk Assessment

AraSync conducts regular security risk assessments to identify, evaluate, and address vulnerabilities in systems that process PHI. Risk assessment findings are remediated according to severity within defined timeframes.

Incident Response

AraSync maintains a documented incident response plan. In the event of a security incident or breach involving PHI, we will:

  1. Contain and investigate the incident within 24 hours of discovery
  2. Notify affected customers within 72 hours of confirming a breach, consistent with our BAA obligations
  3. Work with customers to notify affected individuals within the HIPAA-required 60-day window
  4. Report to HHS as required for breaches affecting 500 or more individuals
  5. Provide a full incident report documenting what happened, what data was affected, and what remediation was completed

EVV and HIPAA

Electronic Visit Verification collects GPS location data from caregivers' mobile devices during visits. AraSync's EVV implementation is designed to comply with both the 21st Century Cures Act EVV mandate and HIPAA:

  • GPS data is collected only during active visits, not continuously tracked
  • Location data is associated with the caregiver's user record, not retained as standalone tracking data
  • EVV records are stored with the same AES-256 encryption and access controls as all other PHI
  • Caregiver consent is obtained during app onboarding for location collection during visits

AI Documentation and PHI

AraSync's AI documentation assistant operates as a real-time compliance rule-engine and language helper. Clinicians write the clinical content of progress notes, treatment plans, and assessments themselves; the AI checks the clinician-authored documentation against Minnesota DHS rules, flags missing requirements, and suggests alternative phrasing on assessment documents. Regarding PHI:

  • AI processing occurs within AraSync's HIPAA-compliant infrastructure — PHI is not transmitted to third-party AI services in identifiable form
  • AI-surfaced compliance feedback and language suggestions are presented to the clinician for review — they are not automatically applied to records, billing, or payers
  • Clinician approval is required before any AI-suggested edits or compliance flags result in changes that become part of the patient record

Your Responsibilities

HIPAA compliance is a shared responsibility. As a Covered Entity using AraSync, your organization is responsible for:

  • Configuring user roles and access permissions appropriate to each staff member's job function
  • Maintaining workforce HIPAA training for your own staff
  • Obtaining required patient authorizations and consents before entering PHI
  • Implementing device security policies for any device used to access AraSync (screen locks, device encryption)
  • Reporting any suspected security incidents or unauthorized access to AraSync immediately
  • Following the minimum necessary standard when assigning staff access to patient records

Request Our BAA or Security Documentation

If you are evaluating AraSync and need to review our security practices, Business Associate Agreement, or compliance documentation for due diligence purposes, contact us:

AraSync Health Systems
130 Division Street, Suite D
Waite Park, MN 56387
Email: [email protected]
Phone: (669) 278-5128

We typically respond to security review requests within 2 business days.

Ready to See AraSync in Action?

Book a free 30-minute demo. We'll walk through our compliance dashboard, audit trail, and HIPAA safeguards — and answer any security questions your team has before signing.

Request a Demo