ConnectWise Automate HIPAA Rules for Partners Identified as Business Associates

  1. ConnectWise Automate does not create, receive, maintain or transmit Protected Health Information (PHI) as part of its service offering.
  2. ConnectWise Automate does not perform remote monitoring or management services on ConnectWise Automate Partners’ end-user systems.
  3. ConnectWise Automate Partners that meet the definition of Business Associate (BA), per HIPAA Privacy Rules, are identified as such in ConnectWise Automate’s records.
  4. ConnectWise Automate Support no longer holds remote desktop program (RDP) credentials for BA Partners providing services to “Covered Entities”, as defined by HIPAA.
  5. ConnectWise Automate Support staff is not authorized to gain remote access to the systems or endpoints belonging to BA Partners’ Clients.
  6. If access to a BA Partners’ system is required for support, ConnectWise Automate Support staff will only provide technical assistance to BA Partners through “Attended Access”. Attended access requires that the BA Partner authorize the ConnectWise Automate Support Engineer (or support staff) to connect to the BA Partner’s ConnectWise Automate server by clicking an “allow access” button on the host system before the ConnectWise Automate Support Engineer may access. Additionally,
    1. The BA Partner must remain online and witness all actions performed by ConnectWise Automate Support staff.
    2. If a BA Partner requires that ConnectWise Automate Support staff be present to view or resolve a client’s problem, the BA Partner will maintain control of the session at all times and ConnectWise Automate Support staff will only provide verbal instructions.
  7. If for any reason PHI is disclosed, the ConnectWise Automate Compliance Office will record the nature of the disclosure and notify the Partner’s Compliance Contact that a disclosure has occurred.
    1. If PHI is submitted in a ticket to ConnectWise Automate, the ticket will be deleted upon discovery.
    2. Additionally, all PHI will be purged from ConnectWise Automate’s internal backups.
  8. ConnectWise Automate requests that BA Partners comply with the following:
    1. ConnectWise Automate Partners identified as BA must disable all ConnectWise Automate RDP accounts.
    2. BA Partners should not store, create, receive or transmit PHI on their ConnectWise Automate RMM server.
    3. BA Partners should not display PHI on their screens during support sessions with ConnectWise Automate Support staff.
    4. BA Partners should not send screen shots that include PHI to ConnectWise Automate Support staff.
    5. BA Partners must supply the ConnectWise Automate Compliance Office with the name, title, email address and phone number for their Compliance Contact. This information must be kept up-to-date in case a disclosures or security incident needs to be reported.
  9. ConnectWise Automate BA Partners are urged to adhere to ConnectWise Automate’s internal policy for HIPAA Compliance. Repeated disclosure of PHI by a BA Partner to ConnectWise Automate may result in limited support.