HIPAA (the Health Insurance Portability and Accountability Act) compliance is all about protecting the integrity of Protected Health Information (PHI), and a major part of the Federal law requires a wide range of security and privacy safeguards to protect patient data at rest or in transit according to HIPAA’s Privacy Rule and Security Rule. What this means is that when your medical files are traveling around cyberspace, it must be done with the utmost due diligence in an environment that is designed to protect against any form of a data breach and prevent an unauthorized user’s attempt to access files.
Atlantic.Net has over 25 years of experience providing IT services. We are a specialist HIPAA-compliant hosting provider. We have compiled this Q&A page to help answer some of the most popular questions we are asked by healthcare providers about HIPAA-compliant file sharing.
Yes, it is a mandatory requirement of HIPAA compliance for both covered entities, like healthcare providers, and their business associates to provide training to their employees about HIPAA compliance and the physical safeguards, administrative safeguards, and technical safeguards needed to protect patient data – including when using file-sharing services.
Your staff should know reasonable ways (as with phishing prevention) to guard against the intrusion of malware, and they should understand when it is appropriate and inappropriate to access health data, including as it relates to file sharing solutions.
In order to prevent non-compliant password sharing, you want to have strong password policies implemented. An organizational culture that respects HIPAA compliance is founded on training that ensures your workforce has strong security knowledge and understands the physical, administrative, and technical safeguards employed to enforce data protection according to the Security Rule and Privacy Rule of HIPAA.
How Do I Protect PHI Data in Transit? Do I Need to Protect PHI on Mobile Devices, Too?
Preventing unauthorized access to Protected Health Information is of the utmost importance, whether the data is moving or at rest. When considering data-in-transit, protections are critical because mobile devices are increasingly used to send health data and health information exchanges (HIEs). There are two key elements to consider regarding data security in transit:
There are two key elements to consider:
Protect data in transit using security protocols, best practices, and secured systems
Encrypt all files in transit containing medical records/health data
To achieve this, each employee has the personal responsibility to consistently encrypt in-transit data, including when it is being sent using file-sharing services. It does not matter if your staff has no encryption expertise or background in data security; training must be provided. This training must explain the “dos and don’ts” when it comes to transmitting PHI and when it is not acceptable. A minimum of AES256 bit encryption must be used and PHI should not be sent via email unless encrypted first.
As mobile tools and mobile platforms are more frequently used to share such sensitive patient information, sensitive files must be encrypted there, too. Covered entities must have policies in place to send a secure file with robust mobile security, including encryption of data in transit and controls on mobile access as with other workstations and devices.
How Do I Protect Employee Workstations?
Healthcare organizations must put policies and procedures in place that address how their employees can access and use end-user devices, typically smartphones, tablets, laptops, and workstations. Create policies and procedures that control how media is transferred, decommissioned, thrown out, or reused. All pertinent health data must be destroyed prior to any equipment reuse.
Key concerns for this aspect of physical security are:
the number of individuals who use the workstation; and
whether it is in a private or public setting.
Why Do I Need a Security Management Plan?
In order for your staff to properly follow administrative safeguard rules, you will need policies and procedures to support a comprehensive security management approach. A critical aspect of this effort is a risk analysis and management process. Overall, this plan is based on the need to maintain the availability, integrity, and confidentiality of health data.
What Audit Controls are Needed to Protect PHI?
HIPAA compliance requires detailed logging of nearly all aspects of a system that hosts PHI. The logging and analysis of everything that occurs within these systems are essential.
Anyone handling health data, whether a covered entity or business associate, will want to assess what the intervals will be for auditing, the specific processes used to study the ePHI, the location of storage for audit results, and the policy for personnel who do not follow guidelines.
Detailed logging to smart SIEM solutions can offload a large amount of the workload to AI, and combining intelligent monitoring, an intrusion protection service, and due diligence creates the best environment to protect and audit sensitive data.
How Do I Respond to a File Sharing Security Incident?
In order to comply with HIPAA, healthcare providers have to know how they will respond to security incidents in advance with documented policies and procedures. A key element is evaluating the spectrum of different incidents that could potentially occur when using HIPAA-compliant file-sharing services.
The procedures should specifically indicate an individual who is the organization-wide point-person to be notified if a security incident occurs (i.e., your HIPAA Security Officer, who may also be your HIPAA Privacy Officer).
Everyone who is working at your organization should know exactly what they need to do in various types of difficult scenarios in order to make sure digital health data is safe no matter the situation.
What Authentication Methods Should I Use?
You want robust and thorough steps in place to authenticate secure access to your systems and determine the real identities of all users – this applies to more than just HIPAA-compliant file sharing. One such method to achieve this is by using user accounts (such as Active Directory) that have minimum password requirements, lockout capabilities, unique user IDs, and are centrally managed, either in-house or by your MSP.
The budget should be considered alongside training and the actual procedures and protocols that will be utilized. Authentication is necessary so you can determine whether someone has the correct permissions for ePHI or what the source of transmission is.
Multi-factor authentication provides the best possible protection to sensitive healthcare data for HIPAA compliance. MFA and two-factor authentication are widely used, and just like it does with mobile banking, MFA will protect access to your secure file transfer accounts. The same principle applies to PHI in a HIPAA-compliant context; MFA helps greatly in protecting PHI when using a secure file transfer tool for HIPAA-compliant file sharing.
Who Protects Facility Access Controls?
Any facility where HIPAA-compliant file sharing is performed as part of procedures will also need to abide by HIPAA guidelines on access controls.
Separate from the question of HIPAA-compliant file sharing, a facility that is subject to HIPAA regulation can be any physical location that is used to house PHI; this may be a terminal in a hospital, the data centers of your managed hosting provider, or an employee cell phone. You need to go above and beyond protecting your workstations and devices, all the way to considering the whole building. Do you require a 24×7 security guard presence, CCTV monitoring, and potentially even further physical security measures in the facility?
Ensure your security measures restrict physical access to people without proper authorization. While all of the stipulations for access controls – maintenance records, access validation and control procedures, contingency operations, and a facility security plan – are “addressable” rather than “required,” you still must use any of these elements that you find are appropriate based on analysis of your situation.
What Integrity Controls are Needed?
From an administrative perspective, ensuring the integrity of your data (verifying that it is not wrongly destroyed or changed) requires you to establish (via policies and procedures) rules against wrongfully destroying or changing health data.
Consider how to promote data integrity when information is at rest (stored) and in-motion (transmitting). Malicious individuals could threaten the smooth operation of your organization and potentially do severe damage to your finances and reputation.
You want to know the extent to which your data’s integrity is protected against manipulation. Notably, you can best protect your critical information through authentication as achieved via checksum technology, digital signatures, magnetic disk storage, and error-correcting memory.
Any analysis of threats to integrity should include a look at outside individuals as well as people who are legitimately working for you but are error-prone or who may become disgruntled.
How Do I Control Access to PHI Data?
One of the greatest fundamentals of security is to only give information to the people who are supposed to be able to see it, blocking access to others. A HIPAA-compliant organization must assess the procedures they have deployed (including any that rely on HIPAA file sharing) and add defenses so that they can mitigate inappropriate ePHI access and disclosure of sensitive files.
Information access is based on a need-to-know basis: make sure your management plan complies with the minimum necessary stipulations in the HIPAA Privacy Rule.
Which File Transfer Programs are HIPAA Compliant?
It is not necessarily the program that must be HIPAA-Compliant; rather, it’s critical that the environment where the program is used is abundantly secure. When dealing with PHI, companies must make sure that they are using a HIPAA-compliant file transfer platform to protect the integrity of sensitive data.
HIPAA legislation requires organizations to implement the following to ensure compliance:
Data backups and disaster recovery
Business Associate Agreements (BAA)
What is a HIPAA-Compliant Business Associate?
HIPAA compliance goes beyond the above file transfer methods to encompass consideration of your entire ecosystem, including sometimes trusting third parties (business associates) to strengthen your approach. Are you looking for a HIPAA-compliant solution for hosting for your online healthcare presence? At Atlantic.Net, over the years, we’ve steadily built a reputation as an exceptional healthcare HIPAA hosting company, known for demonstrating trustworthiness to our healthcare industry clients and offering a Business Associate Agreement as part of our commitment to maintaining HIPAA compliance for healthcare providers and healthcare organizations who need help protecting PHI.
Get Help with HIPAA Compliance
Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or visit www.atlantic.net.
Your 10-Step HIPAA (Health Insurance Portability and Accountability Act) Checklist
Start Your HIPAA Project with a Free Fully
Audited HIPAA Platform Trial!