Everything You Need to Know about HIPAA Compliant File Sharing

Being HIPAA compliant when sharing files is mandatory for those in the medical industry. But sometimes it’s hard to know if you’re in compliance or missing the mark. To truly keep your  ePHI (electronic Protected Health Information) safe, you need an intuitive file sharing solution with all the built-in safeguards necessary to maintain an impenetrable environment.

Before you can start examining which HIPAA compliant file sharing solution is ideal for your business to adopt, you need to understand a little bit more about safeguards. These are the protections your business needs to have in place to maintain HIPAA compliance, and there are two types:

• Required Safeguards – These are the mandatory safeguards you need in a file sharing solution. If your solution doesn’t have them, you could be out of compliance with HIPAA standards and subject to fines.
• Addressable Safeguards – These safeguards only slightly more flexible. According to the Department of Health and Human Services (HHS), a covered entity must implement an addressable implementation specification if it is “reasonable and appropriate to do so”. It would not be wise to forego these safeguards altogether. (Fortunately, a top secure FTP solution makes them easy to align with, since many of the safety measures are built into the solution.)

Now that the types of safeguards outlined in HIPAA compliance mandates are clear, let’s explore the different categories of safeguards your HIPAA compliant file sharing process needs. These safeguards will help you determine if you are compliant.

How to Determine if Your File Sharing is HIPAA Compliant

Technical Safeguards

Technical safeguards pertain to the technology used to access and protect patient health records. To be HIPAA compliant with these technical safeguards, your file sharing process needs to include the following features.

• Access Controls
• Unique User ID (required) - Unique login accounts exist for all users.
• Emergency Access Procedure (required) - Data is backed up in a disaster recovery system.
• Automatic Logoff (addressable) - Idle connections are logged off after a number of inactive minutes.
• Encryption/Decryption (addressable) - ePHI is protected by encryption and decryption mechanisms. This refers to file encryption or at-rest encryption.
• Audit Controls - Mechanisms are in place to record and examine system functions and ePHI access.
• Integrity - ePHI is protected from improper alteration or destruction.
• Person or Entity Authentication - Verification procedures are in place to determine users are who they claim to be.
• Transmission Security
• Integrity Controls (addressable) - Transmitted ePHI is protected from tampering.
• Encryption (addressable) - ePHI in transit is protected with encryption measures, ideally by SSL or SSH encryption.

Physical Safeguards

Not only does your file sharing solution itself need to offer HIPAA compliant technical safeguards; each device on which you store your ePHI must also safeguards. Physical safeguards outline some standards for the physical location where your data is stored.

• Workstation Use (required) - Restrict the use of workstations with ePHI access. Ensure screens cannot be seen from unrestricted areas, and govern how workstation functions are to performed.
• Mobile Device Use (required) - Standards are in place for how ePHI is deleted from mobile devices before they are reused.
• Facility Access Controls (addressable) - Record all people who have physical access to ePHI storage locations and take measures to prevent unauthorized physical access, tampering and theft
• Hardware Inventory (addressable) - All hardware and it’s movements should be listed in an inventory, and ePHI should be copied before equipment is moved.

Administrative Safeguards

Finally, to maintain HIPAA compliance, your file sharing process needs to align with a number of administrative safeguards to ensure the integrity of your workforce.

• Risk Assessments (required) - Potential breach vulnerabilities are identified.
• Risk Management Policy (required) - Risk assessments are regularly repeated, and a sanctions policy should be established for employees who fail to comply with HIPAA regulations.
• Contingency Plan (required) - The integrity of ePHI and the continuation of business processes are protected when operating in emergency mode.
• Third-Party Access Restriction (Required) - ePHI is not accessible by unauthorized parent organizations and subcontractors. Business partners who do have ePHI access sign Business Associate Agreements (BAA).
• Employee Security Training (addressable) - ePHI security training session are regularly conducted and documented.
• Contingency Plan Testing (addressable) - In the event of an emergency, backups of ePHI and lost data are restorable. The relative criticality of specific applications are assessed.
• Security Incidents Reporting (addressable) - Employees are aware of how and when to report an incident so breaches are addressed and prevented quickly.

HIPAA Compliant File Sharing Providers

A HIPAA compliant file sharing solution is your most valuable tool in keeping ePHI safe. That’s why it’s imperative that you find a HIPAA compliant file sharing solution that makes compliance possible.

While the price and basic functionality of popular public cloud file sharing solution might be appealing, these could open your business up to HIPAA violations. With the built-in safeguards and expert-level security of top FTP solutions, you’ll rest easy knowing your ePHI is safe. Let’s take a closer look at three FTP solutions that include HIPAA safeguards.

Sharetru

Sharetru supports you in your efforts to meet both the required and addressable safeguards outlined by HIPAA. All of the technical safeguards are built-in, and the physical safeguard requirements, as well as infrastructure security and administration requirements, are all met by Sharetru’s SSAE 16-audited data center. Sharetru also offers an unparalleled level of granular access controls, making it easy for administrators to protect sensitive data.

Box

Box is another file sharing solution with a focus on HIPAA compliance. They make it easy to share large files and integrate their solution into your other work applications. With features like two-step authentication and multi-layer encryption, you can easily and securely share files.

While Box does have a number of HIPAA compliant safeguards in place, their access controls are an area where they fall short. Their access permissions, though acceptable in some areas, are not as robust or granular as those offered by Sharetru.

ShareFile

Another file sharing solution that has HIPAA compliant features. Although it has all the major functionalities of the other two HIPAA compliant file sharing solutions, it falls short in other ways. Like Box, ShareFile can’t compete with Sharetru when it comes to access controls.

Sharetru is the leading contender when it comes to supporting your HIPAA compliance efforts. With this file sharing solution, you can be sure that your ePHI remains secure and your business avoids the fallout of noncompliance.