In accordance with HIPAA’s Privacy Rule and Security Rule, covered entities are required to have physical, administrative, and technical safeguards in place when sharing Protected Health Information (PHI).
This includes ensuring that all PHI is encrypted to industry-grade standard, both at rest and in transit. Below is a more detailed description of the safeguards that must be in place for a covered entity to remain compliant with HIPAA, and how to make sure you are HIPAA compliant when file sharing.
The Safeguards to Remain Compliant with HIPAA
1. Physical safeguards
Physical safeguards relate to the way your PHI is physically accessed. This includes implementing measures to secure any workspaces, servers, workstations and mobile devices that have access to PHI. At the very least, covered entities should;
- Limit the number of people who have physical access to workspaces and devices that have access to PHI. This also includes the use of locks, alarms, ID badges and CCTV cameras to secure your physical premises.
- Establish a set of protocols to determine how these workspaces and devices can be used, and by whom.
- Implement procedures for securely deleting PHI stored on a device before it is decommissioned.
2. Administrative safeguards
Administrative safeguards include policies and procedures designed to protect patient information at the administrative level. This may include designating a security official, conducting risk assessments, employee training, and so on.
- Employees must be sufficiently trained to identify phishing attacks and ensure that PHI is never shared with unauthorized parties.
- Establish a strong security management plan that specifies the procedures for conducting risk assessments, which includes identifying all possible risks associated with the PHI you store. It should also include an incident response plan (IRP), which should be activated if an incident involving PHI unfolds.
- Implement strict access controls to ensure that access to PHI is only granted to those who legitimately need it.
3. Technical safeguards
The HIPAA Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” In other words, they are the specific technical measures that must be in place to protect PHI. This includes how and where PHI is stored, how it is accessed and shared, authentication and encryption measures, and more. To ensure that you have the necessary safeguards in place, you must;
- Use an industry-grade encryption algorithm to ensure that all PHI is securely encrypted, both at rest and in transit. This also includes introducing measures to ensure that only authorized personnel have access to the decryption keys. Strong data encryption will prevent adversaries from reading the data, even if they managed to gain access to it.
- Setup the necessary access controls to restrict access to PHI. This includes assigning each user with a unique ID, as well as enforcing the use of multi-factor authentication, when accessing and sharing sensitive patient data.
- Implement auditing functionality in accordance with the National Institute of Standards and Technology (NIST) guidelines. This ensures that you have a detailed and tamper-proof audit trail of all events relating to the way PHI is accessed and shared, as well as any other relevant activities that take place within your IT environment.
- Safeguard the integrity of all PHI, which mainly involves preventing PHI from being altered or destroyed without proper authorization.
HIPAA Compliant File Sharing
Since there is no official HIPAA certification, covered entities have a legal obligation to check that any third parties they share PHI with have the necessary safeguards in place to protect it. This is particularly relevant when dealing with cloud storage providers, given that it is becoming increasingly more necessary for healthcare providers to share sensitive patient data between themselves, schools, workplaces, and of course, with their patients.
One of the benefits of storing patient data in the cloud is that patients and other relevant parties can access the data from anywhere, at any time.
Of course, this also introduces a security risk, as covered entities have less control over how their data is accessed. As such, they must ensure that the cloud service provider is able to meet the HIPAA compliance requirements.
Fortunately, these days, most popular cloud service providers and file-sharing platforms have sufficient measures in place to comply with the most relevant data privacy laws. However, covered entities must also play their part in keeping their data secure. For example, they must carefully review and configure any security settings associated with the platform they use.
This might include turning off link-sharing and file-syncing capabilities, enabling multi-factor authentication, disabling third-party applications, and ensuring that they have sufficient auditing capabilities to give them visibility into who, what, where and when, PHI is accessed and shared.
As mentioned previously, covered entities must also ensure that PHI is encrypted in transit, which means they must encrypt the data before uploading it to the cloud storage container. Below is a round-up of the most popular cloud storage providers and file share platforms that are (or at least have the potential to be) HIPAA compliant.
- Google Drive
- Microsoft OneDrive
- FTP Today
- Accellion Kiteworks
Real-Time Monitoring of PHI
When it comes to protecting sensitive patient information, visibility is key! That’s why it is crucially important that you know exactly where your PHI resides, how it is being used, and by whom. While many cloud service providers provide basic auditing capabilities, there are limitations that you need to be aware of. For example, many healthcare providers use more than one platform for storing and sharing PHI, including their own on-premise environment.
This makes it difficult to keep track of how data is being shared. A dedicated third-party real-time auditing solution can aggregate event data from multiple platforms and display the relevant information via a single intuitive console. Most also come with data discovery and classification tools, which will scan your repositories, identify and classify PHI accordingly.
They can also classify PHI at the point of creation and modification. Additionally, most real-time auditing solutions can, at the push of a button, generate pre-defined reports that are customized to satisfy the HIPAA reporting requirements.
Finally, using a dedicated third-party auditing solution will ensure that anytime PHI is accessed, moved, modified or removed, an alert will be sent (in real-time) to your email address or mobile app, thus prompting you to confirm the legitimacy of the actions involved.
If you’d like to see how the Lepide Data Security Platform can help you meet HIPAA compliance by detecting threats to your data and implementing zero-trust, schedule a demo with one of our engineers or start your free trial today.