Vendor Access Levels

MerusCase offers different options to regulate a third-party application vendor’s ability to access or modify your firm’s data, per HIPAA requirements. Below, you can review what different types of access mean for your firm’s security and privacy.

Note that you can regulate third-party vendors’ access to your firm’s data at any time. To do so, simply navigate to Tools & Settings > 3rd Party Apps, click on the app you wish to enable, and make desired changes from there per the options outlined below.

Granting Access


Perhaps this seems like a given, but it’s worth noting that no vendor has any access to your firm’s data by default. You can verify that this is the case by clicking on any given vendor and seeing if there is any mention of the account being “Active” in the right-panel view that opens, or if you merely see two buttons to grant different types of access.

To remove a vendor’s ability to access your firm’s data in any way, follow the instructions below, under Revoking Access.

Vendor Service Account Access (‘Activate Vendor User Account’)

Vendor service accounts are used to give vendors limited access to your firm so that they are able to efficiently provide the in-app service you want from them. This includes being able to do things such as view your Contacts, Calendar, Tasks, and Case tabs (Case Details, Parties, and case-type-specific tabs). They are by and large prohibited from doing things such as adding/editing/deleting information just about anywhere, copying info via right-click > Copy, viewing billing items, running reports, or performing administrative tasks. For more detailed specifics, inquire with the particular vendor about exactly how they use their accounts and why.

To enable vendor service accounts, click Activate Vendor User Account, and you will see their row pop up right below. That’s all there is to it.

API Access (‘Allow this App to Impersonate Me’)

The API (Application Programming Interface) is a very powerful, freely available tool that allows developers with programming knowledge to interact with the MerusCase app in precise, entirely customizable ways. This can be useful for everything from en masse editing of events to building entirely customized reports and so much more. Many of our partners make use of it, and it’s freely available to you as well! If you are a firm seeking something in that custom vein, consult with your IT team or an outside expert on what a developer can do for your firm’s needs using the MerusCase API.

That said, API access is essentially unrestricted, Administrator-level access to all of your firm’s data and allows a vendor to take certain actions (e.g. uploading documents) with user initials on them, so be certain you have confidence in whomever you are working with. Rest assured all of our partners have a sterling track record of safely and responsibly handling data with the many firms they work with both via MerusCase and otherwise.

In short, consult the vendor on how API access could improve their service over the more restrictive vendor service account, and collectively come to a decision. Then, if granting API access is indeed the best option for your firm, click Allow this App to Impersonate Me, enter your account credentials (don’t worry, they will not receive these), read the disclaimer and tick the box, then click Yep to finalize the process.

Revoking Access

Revoking vendor access is very straightforward. If you have previously granted access and now see a differently-colored button that says Vendor Account Active, click on the control column (displayed as an ellipsis) to the left of a row and then Revoke to revoke vendor user account access to your firm. Repeat this for all rows to fully revoke access by the vendor in question.