September 16, 2023

    HIPAA Compliant File Sharing

    In late summer 1996, the President of the United States signed into law the Health Insurance Portability and Accountability Act. This law today is better known by its acronym — HIPAA. HIPAA is designed to protect the private and personal information of healthcare patients, including “diagnosis, treatment information, medical test results, and prescription information.”

    While HIPAA is no doubt an essential law for protecting patients and their health-related information, it does create a burden for companies and other organizations that store and transfer files that contain HIPAA-protected information. See below for more information on HIPAA-compliant online file sharing.

    What is HIPAA-Compliant File Sharing?

    The sharing of health-related files and information is unavoidable. For example, imagine a primary care physician must share a patient's files with a specialist or another healthcare provider. How can this primary care physician complete a HIPAA file transfer in a secure and compliant manner? For that matter, how can any healthcare provider complete a HIPAA-secure file transfer and simply store health-related files in a compliant way?

    While the details of building and maintaining a HIPAA-compliant file storage and sharing system are complicated, HIPAA-compliant file-sharing falls into 3 primary categories.

    1. Physical Security

    While most people tend to think of cybersecurity from a technical perspective, the physical perspective is just as important. This is especially true in HIPAA compliance. Physical security means controlling and limiting access to your physical servers where HIPAA-sensitive information may be stored. It also means protecting access to computers, mobile devices, workspaces, and other physical locations that allow for access to HIPAA-protected information.

    2. Technical Security

    As noted above, most people immediately think of the technical safeguards that are required for HIPAA compliance. These technical safeguards include access controls for administrators, user authentications, data encryption and more. In short, addressing the ways that sensitive healthcare information is stored, shared, accessed and used is vital for HIPAA-compliance.

    3. Administrative Security

    Finally, HIPAA compliance demands administrative safeguards. Administrative safeguards include the policies, procedures and actions put into place to manage and maintain HIPAA-protected information. As you'll see below, some file storage and sharing systems may require team members to know and understand how to handle HIPAA-protected information. In these cases, the training of team members would be considered an administrative safeguard for HIPAA compliance.

    How Does HIPAA Differ From Similar Regulations?

    HIPAA is sometimes associated with (and confused with) similar regulations designed to protect the sensitive personal information of clients and files. Here's a look at how HIPAA differs and, in some cases, works alongside these other regulations.

    HIPAA vs. SOX

    SOX is the Sarbanes-Oxley Act, which was signed into law in 2002. The law was drafted and passed in the aftermath of the Enron scandal to ensure that “shareholders and citizens were protected from accounting errors or fraudulent practices occurring in enterprises.” Where SOX addresses information made available by publicly traded companies, HIPAA addresses the protection of individual health-related information.

    HIPAA vs. GLBA

    GLBA is the Gramm-Leach-Bliley Act, which was signed into law in 1999. It addresses how “financial institutions interact with their customers” and protects “customer data from being accessed by unauthorized parties.” Where GLBA protects customer data stored and used by banks and other financial institutions, HIPAA protects individuals’ health information.


    HIPAA and HITRUST CSF (which stands for Health Information Trust Alliance Common Security Framework) are sometimes confused, but they are two separate and distinct concepts. As you know, HIPAA safeguards and protects health-related information. HITRUST CSF is a framework that can be used to demonstrate that an organization is HIPAA compliant (or compliant with other regulations).

    In fact, HITRUST CSF has been mapped against 40-plus regulations and standards, including the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). HITRUST CSF is one of the most popular and common security frameworks used to demonstrate compliance with many different regulations. HIPAA just happens to be one of the regulations that HITRUST CSF can be used to demonstrate compliance.

    HIPAA vs. PCI

    Payment Card Industry compliance, also known as PCI, creates standards for payment account data security. The mission of the PCI Security Standards Council is to “drive education, awareness, and effective implementation by shareholders.”

    As with all the regulations listed above, PCI is meant to protect everyday citizens. PCI protects against breaches during transactions made using payment cards. SOX protects against misinformation shared by publicly traded companies. GLBA protects the data of customers of banks and other financial institutions. And HIPAA protects the health-related files and information of patients.

    Some organizations may find that they need to comply with two or more of these regulations. During implementation of proper safeguards, you may find that there’s significant overlap in the protections required for compliance. For example, something required by PCI may also be required by GLBA. And something required by HIPAA may also be required by GLBA.

    Where to Find HIPAA Compliant Online File Sharing

    Knowing that you need HIPAA-compliant online file sharing is one thing. Knowing where to find it is another. Most organizations searching for a HIPAA-compliant solution start by exploring common file storage and sharing applications. Here’s a look at those applications and their suitability for HIPAA-sensitive information, plus information on your best option for HIPAA-secure file sharing.

    Is Google Drive HIPAA Compliant?

    Google Drive is a tool used by millions of people around the world — both individuals using the platform for personal use as well as businesses using it for work related file management. While Google Drive can be configured for HIPAA compliance, compliance with regulations is not one of the platform’s primary objectives.

    We recently wrote about file share best practices, including information on why share links are often vulnerable. Any organization that is pursuing HIPAA compliance will have to take extra steps to ensure that Google Drive is fully secure, that share links don’t introduce vulnerabilities, and that team members are fully trained on HIPAA and secure file sharing best practices.

    Is Dropbox HIPAA Compliant?

    Similar to Google Drive, Dropbox can be HIPAA compliant if configured correctly and if all team members are using it in a HIPAA compliant way.

    Any organization wanting to use Dropbox for HIPAA-sensitive data would need to invest a lot of time, effort, research, and money into training all team members on the ins and outs of HIPAA-compliant file sharing. That level of training is rarely feasible, and it’s unnecessary given that there are options that are better and easier to implement.

    Your Best Option: HIPAA-Compliant FTP

    The right FTP provider can deliver the HIPAA-compliant file storage and sharing solution that companies need. The best FTP providers build HIPAA-mandated protections into their products so that users don’t need to undergoing lengthy configuration processes or rely on employees to maintain compliance. Compliance is a primary objective, and everything from the onboarding experience to day-to-day usage of the FTP platforms is designed with it in mind.

    Sharetru is Your HIPAA-Compliant Solution

    Sharetru offers a HIPAA-compliant FTP file-sharing solution that helps you sidestep common HIPAA compliance issues. You get immediate access to the physical, technical and administrative safeguards that your organization requires, and you can get started with no upfront investment and a low monthly fee. A HIPAA FTP solution like ours ensures that you never have to worry about HIPAA secure file sharing ever again. If you’re a current Sharetru client or a first-time reader, examples of HIPAA-compliant configuration and features include:

    Get in touch with the Sharetru team for a demo of our HIPAA-compliant file sharing solution.

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts