File sharing services that help with HIPAA compliance

How important is it for healthcare businesses to choose the right file-sharing service and use it correctly?

According to the IBM X-Force Report, “inadvertent activity such as misconfigured cloud infrastructure was responsible for the exposure of nearly 70 percent of compromised records.”

The statistics tell an insightful story about data breaches. While the world is quick to assume black hat actors are responsible, that’s actually one of the least likely scenarios. As an organization that helps with HIPAA compliance, you need to not only identify this risk but also mitigate it.

Working in the cloud introduces a whole new set of security problems for healthcare. To protect your company from HIPAA violations, finding file storage services that help with HIPAA compliance is essential.

Why HIPAA compliance matters in cloud storage

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. According to HITECH, standards that help with HIPAA compliance apply to any service provider that can access personal health information. This includes providers of cloud-based file storage services.

Failure to comply comes with stiff penalties under the HITECH Act. The new law created a tiered penalty structure with an increasing level of culpability for each infraction:

• Unknowing violations run from $100 to $50,000 per violation. The annual maximum for multiple identical infringements is $1.5 million.
• Violations with reasonable cause start at $1,000 per offense and have the same maximums as unknowing violations.
• Violations due to willful neglect that are corrected within the required timeframe have a minimum penalty of $10,000 and a maximum of $50,000. The maximum annual penalty is $1.5 million for the same violation.
• Violations due to willful neglect that are not corrected within the required timeframe start at $50,000. The annual maximum per violation is $1.5 million.

Monetary penalties can be increased and jail time added if a criminal violation also occurs. Since these fines fall on the “covered entity” and not the service provider, it’s vital to find a provider that helps you comply with HIPAA.

What to look for in a storage service that help with HIPAA compliance

Is it enough to have HIPAA/HITECH support? While that is an essential factor, it’s not the only thing healthcare businesses should require in a file-sharing service. Other things to consider include

• The ability to perform audits. Administrators need a way to audit users to ensure they remain security compliant, especially when using mobile devices. Look for a platform with a host of administrative controls, such as reports and audit trails.
• Business associate agreements (BAA). A business associate agreement is a HIPAA standard. It defines the cloud storage company’s responsibilities for safeguarding protected health information.
• Encryption methods. Companies need to encrypt data to prevent access by unauthorized individuals.

Here are four of the best file sharing services that help with HIPAA compliance.

1. Dropbox for Business

In November of 2015, Dropbox Business created a platform that boasted compliance with HIPAA and the HITECH Act. The service includes

• BAA
• Administrative controls
• Review and removal functions for linked devices
• User access with activity reports
• Optional two-step authentication

Dropbox uses an enterprise-grade security system with 256-bit AES encryption along with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption for safe data transmission. Dropbox meets compliance standards for ISO 27001 and SOC 2, as well.

2. Box

In 2013, Box added HIPAA and HITECH compliance standards to its enterprise accounts. The features from Box include

• BAA
• Access monitoring
• Audit trails

Box provides large file access for healthcare companies and works with different operating systems for employee devices. What stands out about Box storage is the number of advanced integrations available. Currently, Box integrates with

• Jotform
• Trello
• Oracle Marketing Cloud
• Adobe
• Zendesk
• RingCentral
• Salesforce
• HootSuite
• Office 365
• Docusign
• Google

Box allows users to securely share and view imaging files, such as X-rays, CT scans, and ultrasounds.

3. G Suite

G Suite, once called Google Apps for Work, is ISO 27001 certified and has passed both SOC2 and SOC3 audits. Customers who opt for this file-sharing option get BAA signed, which is a prerequisite for HIPAA compliance. This fact and the others listed below essentially makes G Suite a HIPAA-friendly tool. Because these customers also get

• Administrative controls
• Account activity tracking and audits
• App activity tracking and audits
• File-sharing permissions
• Google Vault for electronic discovery reference
• Two-factor authentication
• TLS and SSL encryption

4. ShareFile Business

The ShareFile Business package is a simpler way to go about sharing files. Users have the option to download a desktop app or go online to the ShareFile web portal.

ShareFile provides a more stripped down solution than the competitors. However, it still offers very attractive security features, such as

• SSL/TLS encryption protocols
• SSAE 16 Type II certified data centers
• Audit trails
• Configurable permissions

Staying HIPAA-friendly with the right tech stack

The vast majority of file exposures in your organization are most likely due to factors within your control. You can, and should, mitigate this risk.

By choosing the right solutions for gathering, processing, and storing PHI, you can ensure your procedures meet HIPAA standards at all times.