HIPAA-compliant file share considerations
File sharing is a normal part of daily operations for most health care facilities. It promotes a more collaborative environment and makes it easy to share information with patients or internal and external experts. Medical technology has come far, creating safer sharing methods than those of the past — like unsecured email messages or physical hard drives — and replacing them with faster, more compliant solutions.
If your recent HIPAA risk assessment indicated vulnerabilities in your protected health information (PHI) sharing processes, or you're looking for a way to simplify your processes without cutting into quality care, learn more about file-sharing considerations
HIPAA-compliant file sharing
Cybercriminals breached more than 29 million health care records in 2020. Your facility must stay up to date on the latest safety protocols and technology to protect yourself as hackers create more effective strategies for accessing patient and facility information. A firm understanding of HIPAA-compliant file transfers helps your team keep all data safe and organized, avoids confusion, and makes their jobs easier. Safe practices can also give your patients peace of mind that their care and privacy are your top priority.
The following three rules guide health care facilities through all requirements for protecting physical and digital PHI and reporting breaches to the appropriate parties:
The Privacy Rule
The Privacy Rule applies to physical PHI as well as electronic PHI, or ePHI. It provides guidance for who can access PHI and ePHI, what they can do with the information they access, and who they can share PHI with. This rule applies to all covered entities (CEs) and business associates (BAs) and requires that all involved parties follow the "minimum necessary rule" to disclose only what is crucial for its intended purpose, with some exemptions.
The Privacy Rule protects all forms of PHI, including:
- Patient contact information
- Patient billing information
- Written and digital health records
- Videos and images associated with diagnostics and treatment
- Patient signature or handwriting
The U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR) may audit your facility for potential Privacy Rule violations if they've received a complaint or you've had issues with PHI protection in the past.
The Security Rule
The Security Rule ensures all CEs and BAs follow compliance standards to protect ePHI across all locations, devices, equipment, hardware, and workstations — including shared files. Because every facility, organization, and team is different, there is no strict set of specific rules.
Instead, the Security Rule implements a flexible approach with a strong focus on what you should do instead of how you should do it, assuming all methods are also compliant. You can get a better idea of your specific requirements by performing a risk assessment and analyzing:
- Your current processes
- The size of your team
- The type of work you do
- Risk types and threat levels
- How many patients or clients you serve daily
You can also use third-party HIPAA certification programs for unbiased, expert suggestions.
Your organization must protect all ePHI while it's collected, stored, received, or sent. Protection includes privacy for the patient and all their information and against both physical security and cybersecurity threats. Vulnerabilities include unauthorized use or disclosure, breaches, identity theft, data loss, destruction, or unauthorized changes.
Efficient PHI protection means constantly checking and reevaluating your processes and hardware to adjust as needed, which is why scalability and simplicity should be top priorities when designing your ePHI protection plan. You should also stay up to date on HIPAA changes and future updates to Security Rule guidance.
The Breach Notification Rule
If your facility has or suspects any breach of PHI or ePHI, the Breach Notification Rule requires you to notify all individuals who may have been impacted within 60 days via first class mail or email depending on what type of communication that patient agreed to during prior authorization. All suspected breaches are considered and treated as breaches until you prove otherwise.
When contacting patients, plainly explain the situation — including all known information about the breach and data affected and your plan for preventing future breaches. Let each person know how to reach you with further questions or clarification. You must also report breaches to the HHS OCR and, in some regions, your local media outlets. Post a notice on your website homepage and make every reasonable effort to inform all patients in multiple ways.
Penalties vary across situations but are stricter and more costly if you or affiliated BAs fail to promptly follow the Breach Notification Rule. The HHS OCR also accounts for how quickly you mitigated the risk, what type of information was accessed, the suspected criminal, your existing HIPAA-compliance processes and audit results, and other information.
How to implement the Security Rule for file sharing
Though each of the above rules is an integral part of HIPAA-compliant file sharing, the Security Rule is especially useful. Participate in ongoing security awareness training to keep your team educated on evolving HIPAA regulations and privacy safeguards, including reasonable ways to protect PHI from cyberattacks and unauthorized access. For some facilities, this might include stronger password policies and physical restrictions to protected areas. Protective measures could be as extensive as upgrading to a newer and safer collaborative platform to support compliance efforts.
Follow these three standards as you approach Security Rule implementation in your facility:
Administrative safeguards
Administrative safeguards make up more than half of the HIPAA Security Rule guidelines. This is because the Security Rule applies to so many areas of your organization, including:
- Having a disaster recovery plan
- Information access management
- Security training
- Regular risk assessments
- Automatic security reminders
- PHI protection plans
- Login monitoring
- Password management
- Incident escalation and response plan
- Emergency mode operation plans
All administrative safeguards should make sense for your specific organization and facility. Keep up-to-date documentation of all assessments, policy changes, and security measures, including malware protection, password management programs, team training, and more.
Physical safeguards
Implement physical safeguards at all workstations and in rooms where PHI and files are stored, accessed, and received. This includes devices your team uses on the job and at home, like company cellphones or mobile diagnostic equipment.
Examples of physical safeguards at your facility include:
- Sophisticated door locks with biometric entry
- Security systems
- 24/7 monitoring of critical areas
- Access control validation
- Device locks and passcode requirements
- Data removal policies
- Device disposal plans for outdated or broken devices
- Access restrictions, depending on role and purpose
- Media usage, storage, backup, and transfer policies
- Video monitoring
Update and upgrade physical safeguards as your team or facility changes or new physical risks emerge in your industry, department, or region.
Technical safeguards
Technical safeguards apply to ePHI and include things like data encryption, automatic secure backup, disaster recovery plans, firewalls, malware protection, antivirus software, multifactor authentication, and more. The idea is to protect all digital files from breaches and unauthorized access through stronger network security and employee training. Apply technical safeguards to all networks, in-person and remote devices — including emergency plans for lost and stolen devices — workstations, and more.
Get started by analyzing your current ePHI storage and transmission processes to identify vulnerabilities and determine where you can further bolster security.
Tips for meeting HIPAA requirements when sharing files
The following pieces are essential parts of your HIPAA-compliant PHI protection plan:
1. Patient authorization
The Privacy Rule requires written patient authorization for all PHI collection and disclosure, though it's not typically required for things like in-house treatment or payment processing. You may also use digital copies of signatures and authorization, assuming your systems are HIPAA compliant and the patient consents to electronic authorization.
2. Employee training
Train employees — including BA employees or vendors — to follow all sharing requirements and guidelines through the HIPAA Security and Privacy Rules. According to the Cybersecurity Information Sharing Act of 2015 (CISA), employees must continue protecting PHI and avoid disclosure, even when describing or reporting security incidents and cyber threats.
3. Secure messaging
All digital communication should be secured through private networks, authorized applications, message wiping, web filtering, automatic message deletion, and disabled copy and paste features on documents and patient files. You should also implement logistical safeguards for physical communication, like secured areas for private phone calls and policies for taking, storing, and delivering notes.
4. Secure platforms
All platforms you or your BAs use for PHI should be secure, including hybrid, private, and public clouds. Require service level agreements (SLAs) to confirm each platform's data recovery and backup processes, disclosure limitations, and other security features to help you stay HIPAA compliant.
5. File encryption
Encrypt data on all devices and workstations, including in-transit data and stored files for HIPAA file transfers with in-house employees and third parties. Train all employees, including those unassociated with IT or security systems, on the proper way to uphold data encryption when transmitting and storing PHI.
6. Incident response plan
Have a strong incident response plan for suspected and confirmed security incidents that address each possible risk and threat level evaluated in your risk assessment. Consider assigning a HIPAA security officer to facilitate escalation and act as a common point of contact for incidents.
Who needs to use HIPAA-compliant file sharing?
All insurance companies, PHI clearinghouses, and health care providers — including hospitals, specialists, offices, and beyond — are required to use HIPAA-compliant file-sharing methods. This is true whether the organization is considered a CE or BA:
Covered entities
CEs are organizations and facilities that deal directly with PHI, such as a hospital or health care center. They are responsible for determining and evaluating their own risks and their facility's definition of minimum necessary use, and must use that information to implement PHI protection and privacy processes. They can rely on outside assistance, like third-party experts and HIPAA certification training programs.
CEs are not directly liable for any HIPAA violations their BAs commit — including accrued penalties — as long as a legitimate business associate agreement (BAA) is in place and enforced. The CE is still responsible for terminating BAAs when necessary and complying with all HIPAA rules during file transmission and receiving.
Business associates
BAs are any third party or vendor working with a CE that comes into contact with, manages, sends, receives, or stores patient PHI. They are required to follow HIPAA guidelines, just as your organization is required to choose compliant vendors and implement thorough BAAs.
Examples of BAAs include billing processors, technology specialists, system administrators, equipment vendors, and others.
How to choose a HIPAA file-sharing partner
A trustworthy, reliable file-sharing partner is the best way to stay current on technology trends and evolving data protection practices. While the provider you use doesn't have to be HIPAA-compliant itself, it should be equipped with all the tools you need to stay HIPAA-compliant, such as data encryption, audit logging, user authentication, multifactor authorization for logins, data backup, disaster recovery assistance, and more. They should also be ready to enter into a BAA with your organization:
The following are steps to help you choose the right file-sharing partner for your organization:
1. Use a BAA
Look for a file-sharing provider willing to enter into an ongoing, adjustable BAA. If they can't or aren't willing to do so, consider looking elsewhere, as this could mean they aren't equipped for HIPAA compliance or lack the necessary tools to protect your organization from unauthorized access or breaches.
Review all BAAs regularly and make adjustments as needed to accommodate changing regulations, risks, technology, and team training.
2. Note all platform capabilities
Note everything that the platform is capable of, including PHI storage and management, encrypted communication, analytics, audit trails, BAA creation, thorough security settings, and document support. Like your BAAs, you should review all platform settings regularly and before HIPAA audits to ensure up-to-date compliance and that your file-sharing partner hasn't made any significant changes that could interrupt your daily processes or PHI handling methods.
3. Focus on usability
Features and security settings are essential for HIPAA-compliant file sharing, but they should never come at the cost of usability. Everyone on your team should be able to use the platform, whether it's their first day as a floor-level health care team member or an experienced IT specialist. Make sure your chosen platform is simple to use, including its navigation, customer support, and training requirements.
4. Consider the company's expertise and experience
Check what industries and organizations your potential partner has worked with before. Have they provided file-sharing solutions for other health care facilities or HIPAA-compliant businesses? Do they have experience with the security, compliance, and protection you need, with trusted reviews from third-party sites?
All of this information should be readily available on the provider's website or information portal. Take advantage of the service's contact option to learn more and ask specific questions while choosing the best platform for your needs.
How Box approaches HIPAA-compliant file sharing
Box offers a single, easy-to-use platform to help you manage data, files, and processes across your teams, no matter where they are. This includes a comprehensive administrative control center with security settings to help you stay compliant with HIPAA regulations. We also help you meet other obligations, like the Health Information Technology for Economic and Clinical Health Act (HITECH) and the HIPAA Omnibus Ruling.
These are just a few benefits Box platforms and services can offer your health care organization:
Data encryption
Every piece of data you upload to Box, including PHI and legal contracts, is encrypted with an encryption cipher suite starting at 256-bit AES, with in-transit files receiving TLS 1.2 encrypted protection. What does this mean for you? Top security for all shared files, including those sent and received, to minimize your chance of data breaches and unauthorized access.
We take data encryption a step further with Box KeySafe, which gives you independent control over your organization's unique data encryption keys without interrupting the platform's usability. With Box KeySafe, you can track who is using encryption keys, why, and when, and eliminate that user's access, if needed. All you have to do to use Box KeySafe is upload a file, allow Box to encrypt it with an initial protective layer, then add your own personalized key as a secondary form of protection — that's it. Box never has access to your personal encryption keys, and you retain all legal rights to them.
Audit trails and native capabilities
Box backs up all files every day to secure facilities with enterprise-grade servers that undergo 24/7 monitoring and regular security audits. We also help your organization with detailed audit logs and administrative reporting you can integrate with other third-party tools and services.
Our system uses advanced native capabilities to identify PHI and other patient information using custom terms to classify content based on your preapproved policies and data collection practices. Use built-in security features to monitor and access policies quickly and prevent data leaks.
Box Shield can even send you alerts if it suspects any insider threats, suspicious activity, malware attacks, or account compromise. This allows you to stay ahead of the threat and mitigate it before it grows and results in fines, legal action, or a damaged reputation.
Compliance and zones
Box Zones uses regional-specific data residency obligations to help you and your international BAAs stay compliant with local regulations, such as the General Data Protection Regulation (GDPR). This eliminates time-consuming barriers that could interrupt daily workflow and makes collaborating across distances more accessible than ever.
We'll provide real-time reporting and governance to dispose of content safely and restrict management as needed. You can even customize your organization's retention policies for all uploaded and shared data and control which file versions you want to maintain or archive. We'll help you apply compliance principles to all areas of operations, including communication, administrative controls, and much more.
Business associate agreements
Box is happy to enter into a BAA with all organizations and BAs who participate in our Enterprise or Elite programs and seek HIPAA compliance. We'll help you establish a BAA with us before you start storing or sending any information on our platforms or using our services for your organization.
While you remain responsible for configuring all Box settings to fit your facility's unique needs and enforcing HIPAA guidelines, we stay current on all HIPAA regulations and update our platforms, policies, and procedures to reflect changing risks, trends, technology, and industry needs. Our systems are evaluated and approved by an independent third party, so you know you can count on us to deliver consistent results and help your team reach productivity goals while protecting sensitive PHI.
Box can help you stay HIPAA compliant
Sharing files across networks, teams, or distances is an essential part of running a health care organization or related vendor program. It improves collaboration, boosts productivity, and helps you deliver fast, custom information for your patients that they can access whenever and wherever they need to. Implement strong, adaptable file-sharing policies that support HIPAA regulations, then monitor and make changes as needed.
Box features top security integrations like granular user permissions, organizationwide administrative controls, link expiration limits, secure external file sharing, device ownership verification, and more to help you stay compliant while working together. Learn more about Box services and how we can help your organization reach and maintain HIPAA compliance. To get started, browse available plan options today.
Box can help your organization reach and maintain HIPAA compliance
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.