SECURITY & COMPLIANCE
At ACA TRACK, protection of our clients’ PHI and PII information is our primary priority. We achieve this with our end-to-end processes, beginning with hiring of personnel and client implementation through to data archives and retention.
Is ACA TRACK GDPR Compliant and ISO Certified?
Yes, ACA TRACK is GDPR (and CCPA) compliant and ISO 27001 certified – our servers are also located in SOC2-certified Microsoft Azure US-East data centers.
What is ISO 27001 Certification?
ISO 27001 is the most best practice international standard on information security management. As part of the certification process, ACA TRACK undergoes an annual third-party audit to check compliance with a broad scope of security controls, including but not limited to the development and protection of information assets/sensitive data by implementing appropriate risk assessments, appropriate policies and processes.
How does ACA TRACK ensure data security?
We use Secure, HIPAA compliant CITRIX Sharefile® for receiving, storing and transmitting client data. Our internal workspaces operate under strict enforcement of Data Loss Prevention rules that restrict and quarantine all data transfers suspected of PHI and PII information.
We apply strict group policies that include deleting downloads beyond three days old and preventing any external storage and printing devices. Our employees go through periodic, mandatory data security and phishing training. Our proprietary ACA-processing, cloud application enforces multiple levels of authentication and security in accessing raw PII and PHI data. We enforce secure backup and timely archival compliant with IRS regulations.
How does ACA TRACK ensure user security?
ACA TRACK has implemented a strong authentication and partitioned user access hierarchy for accessing client data, manipulating and downloading ACA reports. The onboarding and offboarding processes, workspace management and secure file transmission processes are all designed to eradicate any unintended or malicious breaches within minutes of escalation. We maintain a comprehensive SIRT (Security Incidence Response Team) process to escalate and mitigate any security event that could potentially arise. ACA TRACK continues to optimize its process and architecture for Zero download and Zero trust.
How does ACA TRACK ensure application security?
Our in-house Azure application generates and files ACA compliant reports, while storing all PII after applying the Rijndael algorithm, with Cipher Block Chaining (CBC). Additionally, our in-house source code is periodically scanned for leaks and insecure coding practices using industry standard scan tools.
How does ACA TRACK ensure network security?
All ACA TRACK accounts use a 256-bit Secure Socket Layer (SSL) encrypted data transfer between the end user and ACA TRACK, as well as communication with IRS and state health/tax agencies, and secure, trusted third-party gateways for mailing and messaging. In addition to Azure’s built in Web Application Firewall security, we ensure routing via another layer of secure proxy, resulting in zero-vulnerability detection by our external penetration testing. Our employee workstations are secured by a centralized intrusion detection system by Crowdstrike®
Two-Factor Authentication adds an extra layer of protection to our user’s accounts. Whenever a user logs in, both a password and authenticator security code are necessary.
ACA TRACK is an
of the IRS for
ACA TRACK is an
of the IRS for
ACA Track's proprietary software is designed to help applicable large employers ("ALE") meet the requirements of the Affordable Care Act and IRS reporting. ACA TRACK is dedicated solely to employer reporting requirements. This focus has made us an industry leader in IRS reporting as well as State Individual Health Mandate reporting.