Close this search box.

Home > Support Articles

Client Configurable Security Options

By default, our Management Portal has very stringent HITRUST-designated security requirements, but in cases where your organization has more specific security requirements, we can enforce an even higher level of security through client-level security options. These customizable security options allow you to utilize specific security requirements from your IT team for your organization’s user accounts. Organizations that have enhanced regulatory requirements around access security can provide those requirements to our client success team for configuration.

Portal User Access Management (configured for your entire organization)

Below are a list of configurable options that can be set for all of the users in your organization:

  • Minimum password age (in days)
  • Maximum password age (in days)
  • Retained password history (how many passwords are remembered and prevented from re-use)
  • Login inactivity timeout (in days – how many days before an account is disabled due to inactivity)
  • Enabling required Two-Factor Authentication (2FA) for all users


Some of these settings may be enabled initially because of contractual requirements with your organization.

To enable any or all of these security settings, please contact your Client Service Representative.

User Role-Based Settings

Administrators have the ability to create and manage your organization’s users of the Portal. This includes who they assign raw data access to. Raw data access allows users to download sensitive patient data. Restricting this access to specifically authorized users allows your organization to maintain HIPAA compliance.

Administrators may also see a list of all users and verify their Two-Factor Authorization (2FA) set-up status. From this table, Administrators may send reset password requests to users, deactivate or delete users. This is useful if users have left or otherwise changed status within your organization.


HRA Inactivity Time-out

In addition to Portal security features, HRAs may be customized to time-out after inactivity. This protects end-users who may be accessing your HRAs from a public computer or shared device.

To enable this feature, navigate to the Customization section for the HRA (accessible via the dashboard) and select the Inactivity Timeout tile. Click Yes to activate the feature and select the length of time (in minutes) of inactivity before the HRA will timeout. Click Save and Publish to make your changes live.

For more help with enhancing security within our Management Portal platform, please contact your Client Success Representative.




Patient Consent to Communication of Personal Health Information (PHI) through Standard SMS/Text Message and/or Email

Welcome! Your healthcare provider has partnered with HealthAware to help guide you through your care plan.

Who is HealthAware?
HealthAware provides health support programs (HSPs) delivered via standard SMS/text message and/or email. Your HSP is under the direction of your healthcare provider and is designed to support you in your health journey by providing education information related to:

  • Your health support program
  • Behavioral prompts/check-ins
  • Assessments/progress reports
  • Appointment reminders
  • Other health related messages or programs pertaining to my health support program

These HealthAware programs are for educational purposes only. They cannot provide, and are not intended as a substitute for medical care. The programs are automated, and therefore not actively monitored. In the event that medical care is needed, please call your healthcare provider or 911.

Why do I need to accept this patient consent?
HealthAware uses standard SMS/text messages and email messages that are not encrypted to communicate information with you about your HSP. Consequently, there is a risk that an unauthorized third party could view the information being transmitted.

To whom does HealthAware disclose my PHI (Personal Health Information)?
HealthAware only discloses PHI to you and your healthcare provider. HealthAware does not disclose PHI to any other party, such as marketing or sales organizations.

By clicking “accept” on a web page, clicking a link that is clearly labeled as a means of indicating consent, or replying “yes” to my consent prompt via text message, I agree to the following:

I hereby consent and state my preference for HealthAware to communicate with me via SMS/text message and/or email regarding various aspects of my health support program (HSP), which may include my PHI, behavioral prompts/check-ins, assessments and progress reports, appointment reminders, and other health related messages or programs pertaining to my health support program.

I understand that standard SMS/text messaging and email are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that standard SMS/text messaging and email regarding my medical care might be intercepted and read by a third party.

I may revoke this consent in writing except to the extent that HealthAware and/or my healthcare provider has already made disclosures in reliance upon my prior consent. If I do not accept this consent, or if I later revoke it, the commencement, continuation, or quality of my treatment will not be affected, but my enrollment with the HSP delivered by HealthAware will be terminated.