Is Huntress HIPAA Compliant?

The Huntress product and service does not access any health information. The Huntress agent surveys a system and file metadata. Any PII that we collect would be incidental. We take proper safeguards to secure all internal data. And since our services do not involve the use or disclosure of protected health information, there is no need for Huntress to provide our partners with a BAA for HIPAA compliance.

For information on what information is collected, please view the Support Article here: What data does Huntress collect?

You can view our privacy policy here: Privacy Policy

Please see below for more details.

“The Compliancy Group” (https://compliancy-group.com/), an industry leader in HIPAA compliance, defines Huntress as a tool. Therefore a BAA does not apply to Huntress or its services.

Per HHS: “'A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.'”
Huntress collects details about persistent (auto-starting) applications/files. We call these “autoruns.” The data collected includes:
  • file-path
  • the user account the autorun starts under
  • file meta-data (size, timestamp, hashes)
Huntress also collects auto-starting files it has not seen before. These files are used to help determine if an autorun is legitimate.
We are not intentionally collecting data files, but occasionally an end-user will place a data file such as a Word document or Excel spreadsheet into an auto-start location, which will inevitably be collected.
All of the data collected is detailed in our privacy policy.
  • “According to HHS, a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
  • "General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.”
  • "Situations in Which a Business Associate Contract Is NOT Required: With organizations whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such organizations would be incidental, if at all.”

If you have any other questions, or if you feel some information may be inaccurate, feel free to contact support at support@huntress.io or by clicking here: Contact Us Contact Us

Still need help? Contact Us Contact Us