HIPAA Compliance for File Sharing in 2021
Choosing the right file-sharing service is crucial for your healthcare business. Proactive measures have to be taken to ensure that any protected health information that you are transmitting when sharing files remains compliant with the guidelines laid down under the Health Insurance Portability and Accountability Act (HIPAA).
Along with the impact on reputation, healthcare data breaches also have a detrimental impact on the finances of the organization that suffers a breach. The average cost per breached record in 2020 was $499. It takes an average healthcare firm about 236 days to recover from the negative impact of a breach. With 26.4 million records breached in 2020 alone, the overall impact of healthcare data breaches is huge.
The US Department of Health and Human Services (HHS) requires all entities involved in the collection, storage, and transmission of sensitive healthcare data to be compliant with the HIPAA regulations. HIPAA compliance requires adherence to the physical, administrative, and technical safeguards outlined in the law.
Whether you are a covered entity under HIPAA or a business associate that deals with protected health information (PHI), data protection measures need to be taken proactively, whether the data is at rest or in transit. With the threat to healthcare data ever-increasing, the transfer of medical files and sharing of healthcare data needs to be compliant with HIPAA at all times. Here’s how you can ensure HIPAA compliance for file sharing in 2021 and beyond.
What is HIPAA compliant file sharing?
HIPAA compliant file sharing allows only authorized users to be able to share files, send messages, and access health data. All data needs to be encrypted with industry-grade security both while at rest and when in transit.
People within the healthcare industry often resort to unsecured means for file sharing such as emails or generic file sharing apps which are not HIPAA compliant. The encryption standards are not met in the case of emails and the chances of protected health information being exposed when shared through unsecured channels such as emails are very high.
Commercial file sharing applications, both free as well as enterprise solutions offer basic encryption to stay compliant with HIPAA. The data that gets uploaded to the HIPAA cloud servers is in its encrypted form. However, once the employees download or share it, the encryption seldom applies. Thus, staff training is also a big aspect of ensuring HIPAA compliant file sharing.
When it comes to consumer file-sharing applications out in the market, it is essential to carefully scrutinize each one of them and determine their level of compliance with the HIPAA security rule. In addition to the files being encrypted when stored or in transit, there are further security measures that need to be in place for ensuring that the file-sharing remains HIPAA compliant. These include,
- The signing of business associate agreements (BAAs)
- Administrative controls
- Multi-factor authentication
- Access monitoring and controls
- Audit trails and account activity tracking
- TLS and SSL encryption
- Data transfer and loss protection
How to Ensure HIPAA Compliant File Transfer
For HIPAA compliant file sharing, you need to have the physical, administrative, and technical safeguards in place. Here is how you can ensure the same.
1. Physical safeguards
Setting up physical safeguards includes limiting access to your physical files and considering how your technology is physically accessed. This means increasing the protections for your servers, your employee workspaces, computers, laptops, and mobile devices. Physical safeguards include device security and workstation access.
- Limit the number of people who have access to protected healthcare information and file sharing.
- Set up procedures and protocols for accessing the workstations and electronic devices such as mobile phones and computers for sharing of files.
- Plan for wiping out data from devices before decommissioning them.
- Limiting the physical access of workstations and devices only to individuals with proper authorization and training to do so. This includes access for data validation purposes, maintenance of records, and implementation of control procedures.
2. Administrative safeguards
Administrative safeguards are the actions, policies, and procedures related to the management and maintenance of ePHI protection. This includes the administrative efforts, including training and process establishment, used to protect data during file sharing.
- Conduct security training and awareness exercises for staff to identify phishing attempts and minimize exposure.
- Impart strong security knowledge to the staff and train them for following best practices when sharing files with the designated authorities.
- Have a security management plan that outlines the conduction of risk assessment
- Prior documentation that proactively identifies the possibilities of potential incidents when the data is in transit and the course of action to be followed in case an incident does occur.
- Setting up of data access management that allows only the authorized individuals to view and share the files within the database. The access control blocks everyone else when they try to access the files.
3. Technical safeguards
Technical safeguards are the steps that are taken to protect ePHI, important also when developing a healthcare application. This includes measures taken for storage, sharing, accessing, and using sensitive healthcare files. Security measures like having access controls available to your administrators, user authentication, and data encryption fall under technical safeguards.
- Undertake file encryption to ensure that only authorized individuals with access to decryption keys can access the sensitive data files. Encryption ensures that in the event of a breach, while the hacker may be able to gain access to the files, the data encoded within them, will still be protected.
- Determine access controls on an individual as well as organization level. This includes the creation of unique user ids and the setting up of multi-factor authentication to access the files and share them.
- Setting up audit controls as per National Institute of Standards and Technology (NIST) standards involves logging and analysis of all the actions that take place within the IT systems.
- Ensure data integrity by having policies and procedures for safeguarding data integrity both at rest and in motion and ensuring that data isn’t altered or destroyed.
HIPAA compliant file sharing requires strategic planning, setting up of policies and procedures, and their implementation for the data being shared to remain secure and safe from malicious sources. There also needs to be rigorous training to ensure that employee oversight and fallacy don’t end up putting sensitive healthcare data at risk.
File sharing is just one aspect of healthcare data management. HIPAA compliance needs to be at the heart of the entire organizational infrastructure and business associates for the healthcare data to be safely stored as well as shared.
Secure that cell phone
Countless cell phones and mobile devices are in use by healthcare professionals. They are an essential resource in medicine, but also one of the biggest security challenges. Cell phones are easy to lose and easy to steal. Ensuring mobile devices are encrypted and have adequate security, such as a PIN and fingerprint locks is mandatory.Remote wipe capabilities are also highly recommended. The feature is required for tracking cell devices and it is relatively straightforward to implement. Mobile phone operating systems support a host of different security options, including VPN and remote wipe. Essentially the cell devices are managed in-house. When a cell is reported stolen, the IMEI is traced using specialist software, and an engineer can then choose to trace the phone or simply wipe all data on the phone.To conclude, using your device to access ePHI and process sensitive data is an essential part of the life of a healthcare worker. Mobile technology and digital devices have helped to revolutionize medicine. The way healthcare is being practiced is also changing. Healthcare professionals have had to adapt since the COVID-19 pandemic, resulting in user devices becoming an absolutely fundamental tool to offer healthcare services to those in need.However, it is important to recognize that digital devices are the weak link in security if not managed correctly. Just a quick glance at the OCR Hall of Shame will provide evidence that medical devices are lost and stolen quite often. Therefore, to maintain HIPAA compliance it is necessary to make sure the endpoint devices are secured to the required and recommended safeguards enforced by the HHS.
Linux, Cloud, and Lead IT Consultant with 20 years of experience.
Graduate of the University of Bradford, England.
Enthusiastic about Technology, Automation, and Infrastructure as Code.
Passionate writer, keen to understand and disseminate as much technical knowledge as possible