January 11, 2017

    9 HIPAA-Compliant Managed File Transfer Features for Securing ePHI

    Every day, your healthcare facility deals with sensitive patient information. As employees manage files and share medical data, it is absolutely imperative to ensure the utmost in privacy and security. If you’re not able to keep patient health information safe, you’re at risk of facing serious penalties for HIPAA noncompliance.

    Advancements in technology and FTP software have made the sharing and storing of patient health information easier than ever before, but you must implement a solution that follows strict compliance regulations and makes security a top priority. With secure FTP, medical facilities can make sure that the technical safeguards required by HIPAA are met and protect themselves against paying thousands or millions of dollars in penalty fees.

    In order to maintain compliance with HIPAA, you must focus not only on network security, but also on the physical storage of your data. All file-sharing activities must be validated, and only people who expressly need access to a patient’s data to do their jobs should be granted that access. It is essential to remain vigilant about file transfers, using both at-rest and in-transit encryption to protect data security from all angles.

    Therefore, the following HIPAA-compliant FTP software features should be integral aspects of any solution your healthcare organization employs. Be sure to download Sharetru’s HIPAA Readiness Statement to get a full breakdown of these features in action.

    HIPAA-Compliant FTP Software: Defining 9 Important Features

    The 1996 Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 14, 2001. This regulation pertains to all healthcare providers and their contractors transmitting protected health information digitally. The rule outlines how they should manage the use and disclosure of individually identifiable protected health information.

    This article highlights the required technical measures for HIPAA compliance and what questions to pose to ensure they align with security and compliance standards:

    1. Access Control: Unique User Identification

    This refers to assigning a unique identifier (either name or number) to track user activity.

    Question: Is it possible to assign each user a separate login account?

    2. Access Control: Emergency Access Procedure

    This involves creating and implementing processes for accessing critical digital protected health information during emergencies.

    Question: Does a disaster recovery system backup the data at a different geographical location?

    3. Access Control: Automatic Logoff

    This refers to implementing digital processes that end an inactive online session after a certain period.

    Question: Are inactive connections automatically logged off after a specified period of inactivity?

    4. Access Control: Encryption & Decryption

    This policy requires a system for encrypting and decrypting digital protected health information.

    Question: Is there a provision for data encryption at rest?

    5. Audit Controls

    This involves using hardware, software, or procedural mechanisms to monitor and inspect activities in systems handling or using digital protected health information.

    Question: Are comprehensive activity logs maintained indefinitely and are they exportable for offline storage?

    6. Integrity Policies

    This necessitates protocols to shield digital protected health information from undue alteration or destruction.

    Question: Does the SFTP protocol include checksum verification for automatic data integrity checks?

    7. Person or Entity Authentication

    This demands procedures that confirm the entity or person trying to access digital protected health information.

    Question: Are users verified via a password or SSH key? Can every user be compelled to connect from a specific IP address as a two-factor authentication measure?

    8. Transmission Security: Integrity Controls

    This directive requires security measures to prevent unauthorized alteration of transmitted digital protected health information.

    Question: Is transmission safeguarded with SSL or SSH encryption, based on the protocol?

    9. Transmission Security: Encryption

    This rule mandates encrypting digital protected health information where suitable.

    Question: Can the usage of encrypted transmission be enforced?



    FTP Site HIPAA Violations: Understanding the Consequences

    So, what happens if your FTP software does not integrate these features, and your healthcare facility is found to be in violation of HIPAA? Be sure that you fully understand the consequences, as they can significantly impact your organization.

    Under the ARRA, or the American Recovery and Reinvestment Act of 2009, a tiered civil penalty structure was put in place to govern what happens for all HIPAA violations, and the ramifications can be pretty severe depending on the circumstances.

    Consider the facts:

    • Even if you can prove beyond the shadow of a doubt that your organization did not know it was using file transfer services that were in violation of HIPAA, you could still be looking at a minimum penalty of $100 per violation and a maximum of $50,000 per violation with an annual maximum of $1.5 million.
    • If an oversight committee is able to prove that the HIPAA violation resulted due to reasonable cause and not due to willful neglect, the penalty increases to $1,000 per violation at a minimum.
    • Even if you are made aware that your business FTP site is not in HIPAA compliance and you take action to correct the issue immediately, you will still not be able to get out of any violations that incur. You could be looking at a minimum of $10,000 per violation with an annual maximum of $250,000 for any and all repeat violations that are discovered.

    Choosing a HIPAA-Compliant FTP Software

    While many of the FTP providers out there offer the necessary features to share information with anyone at anytime, they don’t do a whole lot in the way of protecting patient privacy in a way that complies with HIPAA regulations.

    You might be tempted to opt for consumer-grade, cloud-based storage providers, which are often ideal for home users or students who want to be able to access files from any computer with an Internet connection. But this type of solution will not enable your healthcare facility to maintain HIPAA compliance. In fact, it could actually put your entire organization in violation.

    To choose an FTP software solution that will safeguard your sensitive medical data and protect your organization, make sure you consult the features and questions outlined above. Sharetru, for example, provides every possible control for you to confidently state that you have a HIPAA-compliant FTP site. For more in-depth insight into how our software fulfills these requirements, download your free copy of the HIPAA Readiness Statement.



    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts