HIPAA Compliance

Protecting patient data is at the core of everything we build.

Technical Safeguards

MammoTrac is designed to meet the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). The following safeguards are built into every layer of the platform.

Encryption

All data transmitted between your browser and MammoTrac is encrypted in transit using TLS (Transport Layer Security). Data at rest is protected using AES-256 encryption within our hosting infrastructure.

Access Controls

Role-based access ensures that users only see the data relevant to their responsibilities. Access is scoped by customer, group, and site. Each user account requires unique credentials and is provisioned by authorized administrators only.

Audit Trails

Comprehensive logging tracks user activity including login events, data access, and record modifications. Audit trails support compliance reviews and incident investigations.

Secure Hosting

MammoTrac is hosted in a U.S. data center with physical security controls including intrusion detection, fire suppression, redundant power (UPS and generators), and 24/7 environmental monitoring.

Business Associate Agreement

Trac Technologies executes a Business Associate Agreement (BAA) with every covered-entity customer. The BAA defines our responsibilities for safeguarding protected health information (PHI) and the breach-notification process required under HIPAA.

Multi-Factor Authentication

MammoTrac supports multi-factor authentication (MFA) for all user accounts, adding a second verification step beyond the password. MFA can be enforced at the customer or group level to align with your organization's security policy.

Breach Notification

In the event of a security incident affecting protected health information, Trac Technologies notifies the customer promptly and works with you on the response, in line with our obligations under HIPAA's breach-notification rules.

Operational Best Practices

Technical safeguards are only one part of HIPAA compliance. MammoTrac supports the following operational practices to help your organization maintain a strong security posture.

Non-Disclosure Policies

All personnel with access to patient data should be bound by organizational non-disclosure and confidentiality agreements.

Password Security

MammoTrac enforces password complexity requirements and session timeouts. Passwords should never be shared or written down. User accounts are deactivated immediately upon termination of employment.

Workstation Awareness

Users should employ privacy screens where appropriate, lock workstations when unattended, and follow organizational policies for handling printed documents containing PHI.

Shared Responsibility

HIPAA compliance is a shared responsibility between Trac Technologies and our customers. We provide the secure platform and technical safeguards. Your organization is responsible for:

Ensuring only authorized personnel have access to the system
Providing written authorization for new user accounts
Promptly notifying us when user access should be revoked
Training staff on HIPAA policies and the proper handling of PHI

Have Questions About Our Security Practices?

We're happy to discuss our security and compliance practices in detail.