It is not uncommon for patients and health professionals to send their medical records or other sensitive data via email attachments and popular file-sharing platforms like Dropbox and Google Drive in today's digital world.
However, failure to use secure file sharing platforms can expose protected health information (PHI) and violate HIPAA (Health Insurance Portability and Accountability Act) regulations. The consequence of doing so is a stiff fine by The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and irreversible reputational damage.
Below, we delve into some frequently asked questions with regard to secure file sharing for HIPAA compliance.
In computing, secure file sharing is the secure transmission of data between two or more parties.
The process begins with encrypting a file before sending it over a network. This is achieved using an encryption algorithm. Next, the file may be shared on a local network or via a regular Internet connection. Secure file sharing may also be done through a VPN-secured private network connection.
It also typically involves using a secure file transfer protocol (SFTP) or secure socket layer (SSL) to protect the confidentiality and integrity of the data being transmitted.
Many file-sharing services or software enable secure file sharing by restricting access to the file, only granting authorized personnel rights to access, view and download it.
However, not all file-sharing services are HIPAA compliant by default, even though they may use all the methods above to secure files. Crucially, any file sharing service you work with must sign a Business Associate Agreement with the medical service provider to ensure that they are HIPAA compliant. Unfortunately, most popular file-sharing services do not meet these criteria.
The main difference between secure and unsecured file sharing is that secure file sharing employs measures to protect the confidentiality and integrity of shared data, while unsecured file-sharing does not.
In addition, secure file sharing typically occurs over a secure network connection, while unsecured file sharing occurs over a regular Internet connection.
Secure file sharing also restricts access to authorized personnel only, whereas anyone with the right URL or link can download an unsecured file. Lastly, secure file sharing services must sign a Business Associate Agreement with HIPAA-covered entities to ensure compliance, which many popular services will not do.
Unsecured file sharing is a risky and costly business.
In 2021, Lifetime Healthcare, Inc (Excellus Health Plan) agreed to pay $5.1 million to the Office for Civil Rights (OCR) for potential violations of the HIPAA Privacy and Security Rules that included unsecured file sharing. In all, the OCR imposed a total of $5,980,000 in HIPAA fines in 2021.
(Image source: Compliancy-Group.com)
The Privacy Rule states that "covered entities must use reasonable and appropriate safeguards to secure any electronic protected health information they create, receive or store." This includes the storage of data on a third-party server.
It also states that portable media containing electronic protected health information (ePHI), such as CDs, DVDs, flash drives, should be encrypted. Encryption is also required for non-portable devices like hard discs and servers storing HIPAA data. In addition, they must have password protection enabled by default and users should be able to access only those files required for their work.
The Security Rule mandates that covered entities implement administrative, physical and technical safeguards when creating, receiving and storing ePHI. These safeguards run the gamut from secure firewalls to the safe disposal of electronic devices.
The Security Rule also requires that all contractors, vendors and service providers (including cloud companies) who create, receive, or store ePHI on behalf of a covered entity must have security policies in place to protect the data they handle.
Evidently, HIPAA creates a high bar that is challenging to meet. The best way to share files securely and comply with HIPAA is to use an encrypted secure file sharing service. Encrypted secure file sharing services allow users to upload and share confidential patient information in a private environment. Access is strictly controlled and the service must include encryption.
Secure file sharing services that meet HIPAA compliance standards are few and far between, but they're worth spending the time researching as these service providers will ensure your files are secure when you share them with patients or other providers.
At Central Data Storage, our encrypted file sharing service is designed from the ground up to be HIPAA compliant. It runs on the cloud, meaning your files are accessible anywhere. You can also communicate internally and externally worry-free, a feature that is missing from most secure cloud storage solutions. Other features include:
To get started with HIPAA-compliant secure file sharing, we recommend downloading our HIPAA Encrypted File Sharing Checklist.