Atlantic.Net Blog

How to Be HIPAA Compliant When Sharing Confidential Files: 10 Tips for HIPAA-Compliant File Transfer

Kent Roberts
by Atlantic.Net (78posts) under HIPAA Compliant Hosting

While HIPAA law is broad, at its core is the Security Rule, the full name for which is the Security Standards for the Protection of Electronic Protected Health Information. The Security Rule applies the rights that are conveyed by the Privacy Rule – i.e., the Standards for Privacy of Individually Identifiable Health Information – within digital environments. In order to achieve this aim, the Security Rule requires administrative, physical, and technical safeguards. These three categories of defenses are critical to ensuring HIPAA-compliant file transfer. Specific elements of these types of Security Rule protections include these ten key healthcare file transfer considerations:

  1. Security training & awareness
  2. Transmission security
  3. Device protection and workstation use
  4. Security management plan
  5. Audit controls
  6. Security incident procedures
  7. Organization or individual authentication
  8. Facility control and access
  9. Integrity controls
  10. Data access management

1 – Security training & awareness (administrative)

Your staff should know reasonable ways (as with phishing prevention) to guard against the intrusion of malware. They should understand when it is appropriate and inappropriate to access health data. In order to prevent non-compliant password sharing, you want to have strong password policies implemented. An organizational culture that respects compliance is founded on training that ensures your workforce has strong security knowledge.

2 – Transmission security (technical)

One of the primary concerns is to prevent any unauthorized access to electronic protected health information (EPHI) whether it is moving or at rest. When considering in-transit data, protections are especially critical because mobile devices are increasingly used to send health data and health information exchanges (HIEs) have become more prevalent.

First, you need protocols, practices, and systems that will allow you to transmit ePHI securely. Second, it is critical to use encryption for all in-transit health data, based on the following considerations:

  • the extent to which you have the personnel necessary to consistently encrypt in-transit data;
  • whether or not your staff has encryption expertise;
  • the practicality and affordability of encryption;
  • whether it is appropriate and reasonable to have encryption in place; and
  • the encryption procedures and algorithms that can be used.

3 – Device protections and workstation use (physical)

In order to comply with HIPAA, you have to put policies and procedures in place that address how your employees can access and use electronic media (most notably computers and mobile devices) and workstations appropriately. There should also be policies and procedures in place that control how media is transferred, decommissioned, thrown out, or reused. All pertinent health data must be wiped prior to any reuse. Confirmation that no one can access or use ePHI is needed (through total destruction or the application of a powerful magnetic field via degaussing) before media/devices can be thrown out.

Key concerns for this aspect of physical security are:

  • the number of individuals who use the workstation; and
  • whether it is in a private or public setting.

4 – Security management plan (administrative)

In order for your staff to properly follow administrative safeguard rules, you will need the policies and procedures of a comprehensive security management approach. A critical aspect of this effort is a risk analysis and management process. Overall, this plan is based on the need to maintain the availability, integrity, and confidentiality of health data.

5 – Audit controls (technical)

The logging and analysis of everything that occurs within ePHI-containing IT systems – via the deployment of procedures, equipment, and software – is the focus of audit controls. Anyone handling health data, whether you are a covered entity or business associate, will want to assess what the intervals will be for auditing, specific processes used to study the ePHI, the location of storage for audit results, and the policy for personnel who do not follow guidelines. Plus, and perhaps most obviously, communication is key: you need to write down in official documents and let everyone know about the methods and processes you will use to conduct audits.

To determine the specific audit controls you need, the National Institute of Standards and Technology (NIST) suggests considering the following:

  • the sites of health data risk at your institution;
  • what elements you will be checking related to health data, such as its production, updating, reading, and/or removal; and
  • the processes, software, and hardware that are higher-risk for disclosure, use, or unauthorized access.

6 – Security incident procedures (administrative)

In order to comply with HIPAA, you have to know how you will respond to security incidents in advance through documented policies and procedures. A key element is evaluating the spectrum of different incidents that could potentially occur. The procedures should specifically indicate an individual who is the organization-wide point-person to be notified if a security incident occurs (i.e., your HIPAA Security Officer, who may also be your HIPAA Privacy Officer). Everyone who is working at your organization should know exactly what they need to do in various types of difficult scenarios in order to make sure digital health data is safe no matter the situation.

7 – Organization or individual authentication (technical)

You want robust and thorough steps in place to authenticate access to your systems – determining the real identities of all users. The budget should be considered alongside training and the actual procedures and protocols that will be utilized. Authentication is necessary so you can determine whether someone has the correct permissions for ePHI or what the source of transmission is. You can use a number of methods to validate that the individual seeking access is not an impostor.

8 – Facility control and access (physical)

You need to go beyond protecting your workstations and devices to considering the whole building. You need to make sure that you are restricting physical access to people with proper authorization. While all of the stipulations for access – maintenance records, access validation and control procedures, contingency operations, and a facility security plan – are “addressable” rather than “required,” you still must use any of these elements that you find are appropriate based on analysis of your situation.

9 – Integrity controls (technical)

From an administrative perspective, ensuring the integrity of your data (verifying that it is not wrongly destroyed or changed) requires you to establish (via policies and procedures) rules against wrongfully destroying or changing health data. It is important to think about how to safeguard your data’s integrity both when information is at rest (stored) and in-motion (transmitting). Malicious individuals could threaten the smooth operation of your organization and potentially do severe damage to your finances and reputation. You want to know the extent to which your data’s integrity is protected against manipulation. Notably, you can best protect your critical information through authentication, as is achieved via checksum technology, digital signatures, magnetic disk storage, and error-correcting memory (as indicated by the National Institute of Standards and Technology HIPAA Security Rule Guide). Any analysis of threats to integrity should include a look at outside individuals as well as people who are legitimately working for you – but are error-prone or become disgruntled.

10 – Data access management (administrative)

One of the greatest fundamentals of security is to only give information to the people who are supposed to be able to see it – blocking access to others. A HIPAA-compliant organization must assess the procedures they have deployed and add defenses so that they can mitigate inappropriate ePHI access and disclosure. Also, note that information access management is about a need-to-know basis: make sure your management plan complies with the minimum necessary stipulations in the HIPAA Privacy Rule.

Which File Transfer Programs Are HIPAA Compliant?
When dealing with PHI, companies must make sure that they are using HIPAA-Compliant file transfer programs to protect the integrity of sensitive data. HIPAA legislation requires organizations to implement the following to ensure compliance:

  • Access control
  • Data encryption
  • Audit logging
  • User authentication
  • Data backups and disaster recovery
  • Business Associate Agreements (BAA)

Your HIPAA-compliant business associate

HIPAA compliance goes beyond the above file transfer concerns to considering your entire ecosystem, trusting third parties (business associates) to strengthen your approach. Are you looking for hosting for your online healthcare presence? At Atlantic.Net, over the years, we’ve steadily built a reputation as an exceptional healthcare HIPAA hosting company, known for demonstrating trustworthiness to our clients.

HIPAA-Compliant File Transfer Checklist

How to Be HIPAA Compliant When Sharing Confidential Files: 10 Tips for HIPAA-Compliant File Transfer

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom