September 15, 2016

    FTP Site Breach: Impact on HIPAA Compliance?

    In order to maintain compliance with HIPAA, any business dealing with private health information or other electronic healthcare data will need to keep a few key things in mind. You will need to focus on not only network security but the physical storage of your data at the same time.

    All file-sharing activities must be validated and only people who expressly need access to a patient’s data to do their jobs should have access. You will need to remain vigilant about file transfers, using both at-rest and in-transit encryption to protect data security from all angles.

    If your organization is found to be in violation of HIPAA in terms of your file transfer services, it is important for you to understand what can (and probably will) happen next.

    The Consequences of FTP Site HIPAA Violations

    One of the most important things to understand about using a business FTP site involves what could (and likely will) happen if your business is found in violation of HIPAA. Under the ARRA, or the American Recovery and Reinvestment Act of 2009, a tiered civil penalty structure was put in place to govern what happens for all HIPAA violations. As you might expect, they can be pretty severe depending on the circumstances.

    Even if you can prove beyond the shadow of a doubt that your organization did not know it was using file transfer services that were in violation of HIPAA, you could still be looking at a minimum penalty of $100 per violation and a maximum of $50,000 per violation with an annual maximum of $1.5 million. If an oversight committee is able to prove that the HIPAA violation resulted due to reasonable cause and not due to willful neglect, the penalty increases to $1,000 per violation at a minimum.

    Even if you are made aware that your business FTP site is not in HIPAA compliance and you take action to correct the issue immediately, you will still not be able to get out of any violations that will incur. Under this specific situation, you could be looking at a minimum amount of $10,000 per violation with an annual maximum of $250,000 for any and all repeat violations that are discovered.

    Business FTP Sites and HIPAA Compliant Sites Are Not Created Equal

    One of the most important things to remember about file sharing in the digital age is that not all services are created equal. Many providers will offer you the features necessary to share information with anyone at anytime, but they do little to protect your privacy in a way that allows you to remain current with all HIPAA regulations.

    Cloud-based storage providers like Dropbox, for example, are not examples of file transfer services built with HIPAA regulations in mind. This is not a knock against Dropbox – at no point do they promise that using their service will allow you to maintain compliant with HIPAA. What they do promise – namely ease of use, versatility and functionality – they deliver on (as their millions of unique monthly users can attest to).

    While something like a cloud-based file transfer service may be perfect for home users or students who want to be able to access their coursework from any computer with an Internet connection, they will not allow you to maintain HIPAA compliance and actually could put your entire business in violation by default.


    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts