Best HIPAA Compliant File Sharing Services & Considerations
What’s the best HIPAA compliant file sharing solution? Choosing badly makes the difference between secure protected health information (PHI) or costly breaches.
Since Google Drive is popular with so many people, you might be wondering: is Google Drive HIPAA compliant? No. Google Drive, by itself, is not HIPAA compliant. An organization must sign a business associate agreement with Google along with implementing controls, authentication, passwords and other necessary safeguards if they want to use Google Drive for handling PHI.
How Does HIPAA Affect File Sharing?
Any file sharing solution involving PHI must comply with HIPAA’s three overarching rules:
- The Privacy Rule, which defines PHI and the responsibilities that providers, insurers, and associated businesses have in storing and transmitting it. In short, they must protect the privacy of the patient outside of specific situations.
- The Security Rule, which outlines the security measures that healthcare institutions must utilize to protect data in transit and at rest.
- The Breach Notification Rule, which outlines what responsibilities these providers have in cases where their systems are breached, and PHI is compromised.
The Security Rule is incredibly important for file sharing solutions because it defines three critical safeguards that any solution must implement:
- Administrative safeguards: These safeguards include having proper data governance and risk management policies in place, effective leadership and decision making with regards to security implementation, and relevant training and continuing education programs to support employee cyber hygiene.
- Physical safeguards: Physical safeguards include protecting the physical location of data, like workstations and servers, with measures like locks, cameras, biometrics, and others.
- Technical safeguards: These safeguards include protective measures like anti-malware software, encryption, passwords, and firewalls.
Healthcare providers must meet all of these requirements to handle PHI in accordance with HIPAA. That means from the back office to data centers to the software and platforms, they must protect patient data.
Who Needs to Use HIPAA-Compliant File Sharing?
HIPAA defines all the relevant parties in healthcare that must comply with regulations:
- Covered Entities (CEs), who are primary healthcare providers like hospitals, clinics, doctor’s offices, insurers, and anyone else directly linked to patient care.
- Business Associates (BAs), who fill supporting roles (insurance, equipment manufacturing IT support) for Covered Entities.
Any vendor working with a CE is, by definition, a Business Associate. They will inevitably handle PHI for transfer or storage and therefore must have HIPAA-compliant software. This means that if a file sharing vendor wants to make their solution compliant, or work with a compliant vendor, they should:
- Have a Business Associate Agreement with their partner CE,
- Implement physical, administrative, and technical safeguards for patient data, and
- Follow additional regulations around risk, reporting, and notification as defined by HIPAA.
What Should I Look for in HIPAA File Sharing Vendors?
There are some fundamental attributes that any organization handling PHI should consider when assessing a file-sharing solution vendor:
- Does the vendor have a BAA? Many solution providers will have a standing BAA that healthcare organizations can use or modify for their working agreement. Not having a BAA can signal that the vendor isn’t mature enough to handle PHI or not HIPAA compliant themselves.
- Does the vendor have enterprise capabilities? Sharing PHI isn’t just about transferring files. It’s about having analytics, management, and governance in place to support complex operations in a highly regulated environment. This goes double for healthcare providers who already have to deal with stringent security issues.
- Where does their expertise lie? A proper file sharing solution will provide security, data visibility, compliance, and protection. Healthcare isn’t an industry where a CE or a BA can afford to cut any corners.
These three aspects are general but important. HIPAA violations can start at $100 per incident but balloon to up to $50,000 per violation, with the potential for millions in penalties per year depending on the breach or compliance violation.
Top HIPAA Compliant File Sharing Services
|Provider||Includes a BAA||Single- or Multi-Tenant||Compliance Features|
|The Accellion Kiteworks||Yes||Single-Tenant||Compliant encryption, reporting, audit logging, secure cloud, analytics, secure email, secure file transfer, anti-virus, automatic scans, policy and access controls, secure integration with Office 365. The Kiteworks Enterprise package provides an independent private cloud for each customer, with no intermingling of data or metadata, or shared application resources.|
|Google Workspace||Yes||Multi-Tenant||Compliant encryption, secure cloud, secure email, integrated Google Office apps, compliant Voice and Video chat, secure file transfer.|
|Microsoft OneDrive||Yes||Multi-Tenant||Secure cloud, secure email, secure integration with Office 365 and secured desktop apps, secure collaboration tools, reporting and logging, analytics, secure file transfer. [max file 250GB]|
|Box||Yes||Multi-Tenant||Secure cloud, secure mobile access, embedded viewing for specialized medical files, low file size limit.|
|Citrix ShareFile Healthcare Cloud||Yes||Multi-Tenant||Secure file transfer, secure mobile app sync.|
Google is a relative newcomer to healthcare solutions, but they do offer their well-known cloud and productivity tools for healthcare providers. This includes cloud storage and transfer, office apps, and compliant, secure video and voice chat. Google Workspace doesn’t emphasize Enterprise features like analytics, segmentation, or other governance tools, however, so if you need that kind of visibility it may not be the right solution for you.
Microsoft is an award-winning cloud provider in the healthcare space, and when you sign up for OneDrive you sign up for the M365 platform, including cloud storage, productivity apps, and analytics. There is a lot of power here if your business operations want to dig into the right tools, but the more advanced segmentation and visibility features may be lacking or hard to work with.
Box is an established name in cloud storage, particularly in healthcare. Their secure offerings provide HIPAA compliance, and the Box platform provides secure access for mobile devices. What’s great for healthcare providers is that BOX provides embedded file viewing for specific healthcare-related files for things like X-rays, CT scans and MRIs. Box even gives you tools to compile health reports based on these files. On the flipside, the file size limits are typically lower than other solutions, and it seems like they are discontinuing the file compilation tool as of December 2021.
Citrix ShareFile Healthcare
ShareFile Healthcare has one job, and it does that job well. As a transfer and storage product, it brings straightforward file transfer and cloud storage to your operation. Other features, like productivity integrations and advanced cloud analytics and integrations, however, are not included in its HIPAA-compliant offering. This is a multi-tenant offering on a cloud specifically reserved for regulated industries including healthcare, which Citrix refers to as a “private cloud.”.
The Accellion Kiteworks(R) Platform: The HIPAA Compliant File Sharing Solution – focus on our private cloud and audit trail
When you work with the Kiteworks platform, you get the power of a secure enterprise solution that also foregrounds HIPAA compliance and security.
Accellion specializes in three areas:
- Security: All Accellion tools, from email to file transfer and storage, are secured with HIPAA-compliant encryption, integrations with your existing security infrastructure like ATP, DLP, and SIEM and other security measures. Because it deploys an independent private cloud for each customer, there is no intermingling of data and metadata with other customers inside your dedicated Kiteworks platform application. For the gold standard in security, US organizations may consider the FedRAMP hosted offering, with a designated 3rd party performing a detailed yearly audit of more than 300 security controls, a yearly penetration test from both the internet and corporate intranet, and continuously monitoring any configuration changes or incidents. You have ownership of your encryption keys, and can integrate with a hardware security module (HSM) for tamper-proof key protection.
- Compliance: Our facilities and operations meet all HIPAA security safeguards for PHI, including secured data servers and workstations, and administrative protocols. When you transfer data through Accellion, your data is safe and compliant end-to-end. This includes granular, role-based permissions and controls, with least-privilege defaults as well as DLP integration with automatic blocking of non-compliant files.
- Visibility: Data visibility, analytics, and reporting are necessary for compliance and crucial for successful enterprise business resilience and efficiency. The Kiteworks platform gives you the insight you need to protect and govern PHI. This includes comprehensive, unified, immutable logging and audit trail for proving compliance to auditors, and for forensics if a leak should occur. You can also get a one-click compliance report covering your controls and highlighting potential risks, with an export suitable for auditors.
The Kiteworks platform also includes additional HIPAA-compliant features, like secure email and SFTP, enterprise-grade managed file transfer, and consolidated data access and controls in a single platform. Furthermore, it is the only solution with 100% on-premises deployment for single-tenancy cloud, which means even better security outside of shared cloud services.