Atlantic.Net Blog

Top Considerations for HIPAA Compliant File Sharing

Richard Bailey
by Atlantic.Net (51 posts) under HIPAA Compliant Hosting
0 Comments

HIPAA compliance is all about protecting the integrity of Protected Health Information (PHI), and a major part of the legislation requires a wide range of security and privacy safeguards to protect patient data at rest or in transit. What this means is that when your medical files are traveling around cyberspace, it must be done with the utmost due diligence in an environment that is designed to protect against any form of a data breach.

Atlantic.Net has over 25 years of experience providing IT services. We are a specialist HIPAA-compliant hosting provider. We have compiled this Q&A page to help answer some of the most popular questions we are asked about HIPAA-compliant file sharing.

Are you looking for HIPAA-compliant hosting? Get in touch today!

Is Security Awareness Training Mandatory?

Yes, it is a mandatory requirement of HIPAA-compliance for both covered entities and business associates to provide training to their employees about HIPAA and the physical, administrative and technical safeguards needed to protect patient data.

Your staff should know reasonable ways (as with phishing prevention) to guard against the intrusion of malware, and they should understand when it is appropriate and inappropriate to access health data.

In order to prevent non-compliant password sharing, you want to have strong password policies implemented. An organizational culture that respects compliance is founded on training that ensures your workforce has strong security knowledge.

How Do I Protect PHI Data in Transit?

Preventing unauthorized access to Protected Health Information is of the utmost importance, whether the data is moving or at rest. When considering data-in-transit, protections are critical because mobile devices are increasingly used to send health data and health information exchanges (HIEs).

There are two key elements to consider:

  1. Protect data in transit using security protocols, best practices, and secured systems
  2. Encrypt all files in transit containing health data

To achieve this, each employee has the personal responsibility to consistently encrypt in-transit data. It does not matter if your staff has no encryption expertise; training must be provided.  This training must explain the “dos and don’ts” when it comes to transmitting PHI and when it is not acceptable. A minimum of AES256 bit encryption must be used and PHI should not be sent via email unless encrypted first.

How Do I Protect Employee Workstations?

Employers must put policies and procedures in place that address how their employees can access and use end-user devices, typically mobile devices, laptops, and workstations. Create policies and procedures that control how media is transferred, decommissioned, thrown out, or reused. All pertinent health data must be destroyed prior to any equipment reuse. 

Key concerns for this aspect of physical security are:

  • the number of individuals who use the workstation; and
  • whether it is in a private or public setting.

Why Do I Need a Security Management Plan?

In order for your staff to properly follow administrative safeguard rules, you will need policies and procedures to support a comprehensive security management approach. A critical aspect of this effort is a risk analysis and management process. Overall, this plan is based on the need to maintain the availability, integrity, and confidentiality of health data.

What Audit Controls are Needed to Protect PHI?

HIPAA compliance requires detailed logging of nearly all aspects of a system that hosts PHI. The logging and analysis of everything that occurs within these systems are essential. 

Anyone handling health data, whether a covered entity or business associate, will want to assess what the intervals will be for auditing, the specific processes used to study the ePHI, the location of storage for audit results, and the policy for personnel who do not follow guidelines. 

Detailed logging to smart SIEM solutions can offload a large amount of the workload to AI, and combining intelligent monitoring, an intrusion protection service, and due diligence creates the best environment to protect and audit sensitive data.

How Do I Respond to a Security Incident?

In order to comply with HIPAA, you have to know how you will respond to security incidents in advance with documented policies and procedures. A key element is evaluating the spectrum of different incidents that could potentially occur. 

The procedures should specifically indicate an individual who is the organization-wide point-person to be notified if a security incident occurs (i.e., your HIPAA Security Officer, who may also be your HIPAA Privacy Officer).

Everyone who is working at your organization should know exactly what they need to do in various types of difficult scenarios in order to make sure digital health data is safe no matter the situation.

What Authentication Methods Should I Use?

You want robust and thorough steps in place to authenticate access to your systems and determine the real identities of all users. One such method to achieve this is by using user accounts (such as Active Directory) which have minimum password requirements, lockout capabilities, and are centrally managed, either in-house or by your MSP.

The budget should be considered alongside training and the actual procedures and protocols that will be utilized. Authentication is necessary so you can determine whether someone has the correct permissions for ePHI or what the source of transmission is. 

Multi-factor authentication provides the best possible protection to sensitive data, MFA is widely used, and just like it does with mobile banking, MFA will protect access to your accounts. The same principle applies to PHI in a HIPAA-compliant context; MFA helps greatly in protecting PHI.

Who Protects Facility Access Controls?

The facility can be any physical location that is used to house PHI; this may be a terminal in a hospital, the data center of your managed hosting provider, or an employee cell phone. You need to go above and beyond protecting your workstations and devices, all the way to considering the whole building. Do you require a 24×7 security guard presence, CCTV monitoring, and potentially even further physical security controls in the facility?

Ensure you restrict physical access to people without proper authorization. While all of the stipulations for access – maintenance records, access validation and control procedures, contingency operations, and a facility security plan – are “addressable” rather than “required,” you still must use any of these elements that you find are appropriate based on analysis of your situation.

What Integrity Controls are Needed?

From an administrative perspective, ensuring the integrity of your data (verifying that it is not wrongly destroyed or changed) requires you to establish (via policies and procedures) rules against wrongfully destroying or changing health data. 

Consider how to promote data integrity when information is at rest (stored) and in-motion (transmitting). Malicious individuals could threaten the smooth operation of your organization and potentially do severe damage to your finances and reputation. 

You want to know the extent to which your data’s integrity is protected against manipulation. Notably, you can best protect your critical information through authentication as achieved via checksum technology, digital signatures, magnetic disk storage, and error-correcting memory. 

Any analysis of threats to integrity should include a look at outside individuals as well as people who are legitimately working for you, but are error-prone or who may become disgruntled.

How Do I Control Access to PHI Data?

One of the greatest fundamentals of security is to only give information to the people who are supposed to be able to see it, blocking access to others. A HIPAA-compliant organization must assess the procedures they have deployed and add defenses so that they can mitigate inappropriate ePHI access and disclosure.

Information access is based on a need-to-know basis: make sure your management plan complies with the minimum necessary stipulations in the HIPAA Privacy Rule.

Which File Transfer Programs are HIPAA Compliant?

It is not necessarily the program that must be HIPAA-Compliant; rather, it’s critical that the environment where the program is used is abundantly secure. When dealing with PHI, companies must make sure that they are using a HIPAA-compliant file transfer platform to protect the integrity of sensitive data. 

HIPAA legislation requires organizations to implement the following to ensure compliance:

  • Access control
  • Data encryption
  • Audit logging
  • User authentication
  • Data backups and disaster recovery
  • Business Associate Agreements (BAA)

What is a HIPAA-Compliant Business Associate?

HIPAA compliance goes beyond the above file transfer concerns to encompass a consideration of your entire ecosystem, including sometimes trusting third parties (business associates) to strengthen your approach. Are you looking for hosting for your online healthcare presence? At Atlantic.Net, over the years, we’ve steadily built a reputation as an exceptional healthcare HIPAA hosting company, known for demonstrating trustworthiness to our clients.

Get Help with HIPAA Compliance

Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or visit www.atlantic.net.

Your 10-Step HIPAA Checklist

 

HIPAA-Compliant File Transfer Checklist

How to Be HIPAA Compliant When Sharing Confidential Files: 10 Tips for HIPAA-Compliant File Transfer


Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers

Resources


HIPAA Partners


Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources