HIPAA data has some of the strictest requirements of any kind of data due to the sensitivity of the personal information involved. As a result, there are additional conditions that must be met for HIPAA data compliance for file transfers.
One of the biggest challenges of working with HIPAA data is that there are no specific standards to meet but rather, a set of general guidelines to adhere to. In order to meet all of these guidelines for services like file transfers, it’s helpful to understand why HIPAA was created, the kind of health data that falls under these stricter requirements, and how to be compliant with HIPAA when transferring files.
HIPAA traces back several decades and stands for the Health Insurance Portability Act of 1996. It was designed to expand insurance coverage for healthcare in the United States and increase protections for Protected Health Information (PHI).
When healthcare companies started transitioning to Electronic Health Records, it significantly simplified sending and receiving patient records. However, it also came with increased risk, as entire databases of health information could be intercepted by bad actors.
As a result, the HITECH Act was signed into law in 2009, with the goal to encourage technological advancements in healthcare. HITECH also specifies how secure data transfer for HIPAA data should be handled.
A common misconception is that all data related to healthcare is HIPAA data. However, HIPAA only refers to a specific subset of data known as Protected Health Information (PHI). PHI includes 18 identifiers that can be traced to a specific individual, and according to HHS.gov these are:
From the list of 18 identifiers, it might appear like practically all health information will contain at least one of these. However, the important part is that the health information can be traced back to a specific individual.
Without these identifiers, health information can be shared without falling under HIPAA rules. So while information about “John Smith, Male, 56 with Bowel Cancer” must be compliant with HIPAA, information about “a 56-year old male with Bowel Cancer” does not—as long as nothing in the data can identify John Smith.
If it’s uncertain whether or not the data must adhere to HIPAA, the safest option is to act like it does to avoid any fees or penalties, as all parties involved with HIPAA data are responsible for protecting it.
Because health information is so sensitive and private, HIPAA requires that all parties involved are responsible for protecting the data. This includes health organizations like hospitals, clinics, and insurance as well as companies like Dropbox or cloud service providers like Couchdrop for transferring HIPAA files to the Dropbox account.
Currently, there is no specific HIPAA standard to meet for file transfers. Instead, there are a number of areas that must meet satisfactory results for HIPAA. Often, this requires having an auditor specializing in HIPAA data check to ensure security, processes, and protocols are at an acceptable level. All involved parties will also need to sign a Business Associate Agreement (BAA) outlining their responsibilities.
Before handling HIPAA data, there are a few important steps to make. Since there is no official HIPAA compliance standard, involved parties must have reasonable safeguards, policies, and procedures in place with regard to HIPAA data. This article on HIPAA minimum requirements gives an overview of requirements that companies that provide file transfers for HIPAA or other services must meet to be eligible to work with PHI.
A business associate agreement is a contract between all involved parties that specifies each party’s responsibilities for safeguarding HIPAA data. This is required to legally work with HIPAA data for any organization involved.
For example, suppose a healthcare company worked with an IT company to transfer files, and that IT company uses an MFT platform like Couchdrop to transfer files into SharePoint. The healthcare company, the IT company, Couchdrop, and Microsoft all need to have a BAA that outlines their responsibilities, including steps they will take if a data breach happens.
If there is a data breach with HIPAA data, involved parties are required to notify affected individuals within 60 days of the breach. If the files are transferred through a system–even if the system never stores the data like is the case with Couchdrop–the business associate is still required to notify affected individuals.
If the breach affects over 500 individuals, all organizations must also provide a media notice and a notice to the Secretary by filling out a breach report on the HHS website. For more details on data breaches with HIPAA, see the Breach Notification Rule.
At Couchdrop, our infrastructure and security meet HIPAA standards, and we have a dedicated HIPAA-compliant architecture for customers working with PHI. The dedicated HIPAA architecture adds additional safeguards to our already robust infrastructure such as isolating data to the United States at all times.
Couchdrop includes a BAA for all HIPAA customers outlining file transfer protocols and procedures as well as Couchdrop’s responsibilities for data privacy and security. For more information on how Couchdrop works with HIPAA data, you can download our HIPAA white paper by clicking the button below.
To find out more about Couchdrop’s features like file transfer automations, see our website. You can also try Couchdrop free for 14 days without a credit card or feature restrictions to evaluate if the platform will suit your needs. Sign up for your free trial today to get started.