Couchdrop and HIPAA
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation
that provides data privacy and security provisions for safeguarding medical information and
Protected Health Information.
The HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of
the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to
promote the adoption and meaningful use of health information technology.
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the
electronic transmission of health information, in part, through several provisions that strengthen
the civil and criminal enforcement of the HIPAA rules.
Reference [LINK -
What is Protected Health Information (PHI)?
Protected health information “Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual” that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
There are 18 identifiers that can be used to identify, contact, or locate a person. If health
information is used with any of these identifiers it is considered identifiable. If PHI has all of
these identifiers removed, it is no longer considered to be protected health information.
1. Names (Full or last name and initial)
2. All geographical identifiers smaller than a state, except for the initial three digits of a
code if, according to the current publicly available data from the U.S. Bureau of the Census:
the geographic unit formed by combining all zip codes with the same three initial digits
contains more than 20,000 people; and the initial three digits of a zip code for all such
geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone Numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers (including serial numbers and license plate numbers)
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code
the investigator to code the data
Who is covered?
HIPAA applies to health plans, health care clearinghouses, and to any health care provider who
transmits health information in electronic form in connection with transactions for which the
Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
HIPAA and SFTP
According to HIPAA Journal [LINK - https://www.hipaajournal.com/hipaa-compliant-sftp-server/] “If
FTP is required to transfer protected health information, healthcare providers, health plans,
healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their
service provider uses a HIPAA compliant sFTP server.
a HIPAA compliant sFTP server could use AES-256 symmetric cryptography for stored data and protect
transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.”
Is Couchdrop HIPAA certified?
Unlike PCI and SOC compliance, there is no official HIPAA certification for a cloud service like
Couchdrop. However, Couchdrop provides modern security compliance and redundancy.
For more on HIPAA and Cloud Service Providers please see
Business Associate Definition
In general, a business associate is a person or organization, other than a member of a covered
entity's workforce, that performs certain functions or activities on behalf of, or provides certain
services to, a covered entity that involve the use or disclosure of individually identifiable health
Business associate services to a covered entity are limited to legal, actuarial, accounting,
consulting, data aggregation, management, administrative, accreditation, or financial services.
However, persons or organizations are not considered business associates if their functions or
services do not involve the use or disclosure of protected health information, and where any access
to protected health information by such persons would be incidental, if at all.
Business Associate Agreement
A business associate agreement is a written arrangement that specifies each party’s responsibilities
when it comes to PHI.
The contract must describe permitted and required PHI uses for the business associate, and also
state that the business associate “will not use or further disclose the protected health information
other than as permitted or required by the contract or as required by law.”
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI
disclosure outside of what is permitted in the contract.
Couchdrop has a BAA ready and available for Enterprise customers. Please contact Couchdrop’s support
or sales team to be provided a BAA for review. Couchdrop understands that all organizations are
different and is open to consider amendments or change to the BAA, however the grounds for
acceptance would be based on whether there is an increase risk to Couchdrop and other legal or other