Managed File Transfer & HIPAA-compliant Solutions

Healthcare facilities require their managed file transfer software to be HIPAA compliant, but finding a compliant solution isn’t always easy.

Is file transfer, by their nature, HIPAA compliant? No, basic file transfer is not HIPAA compliant. With HIPAA compliance comes a greater emphasis on protecting data to ensure protected health information (PHI) isn’t stolen, so a HIPAA-compliant solution entails more security requirements than a basic file-transfer program.

What Are HIPAA and HITECH Regulations?

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to provide regulatory compliance for healthcare providers handling sensitive patient information. This act defined two different types of organizations that fell under the jurisdiction of these regulations:

• Covered entities (CEs) are primary care physicians, doctors’ offices, hospitals, insurance companies, or any primary organizations that directly manage and process patient information.

• Business associates (BAs) are composed of third-party companies and vendors that support CEs with products and services that come into contact with patient information—for example, a payment processor for credit card terminals in hospital offices.

The implementation of regulations has changed over the years due to the modernization of medical information systems and the use of networked communication. Evolution of these regulations only accelerated in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which promoted the adoption of digital and networked record-keeping and communication in the healthcare sector.

While the types of technologies used in healthcare have changed, the core regulations of HIPAA remain relatively intact and organized under three primary rules:

1. The Data Privacy Rule: This Data Privacy Rule outlines the responsibilities of healthcare providers under regulations to protect patient information, called protected health information (PHI). All PHI must remain protected and private without the threat of unauthorized disclosure. There are very few exceptions to these rules, and any other disclosure of PHI must come with explicit consent from the patient.
2. The Security Rule: To enact the Data Privacy Rule, the Security Rule defines reasonable security and privacy controls that a CE or BA must implement in their data infrastructure. This includes policies for encryption, firewalls, and anti-malware software, management for workstations, mobile devices, and data centers, and other controls.
3. The Breach Notification Rule: In a breach where PHI is compromised, the CE or BA has specific HIPAA compliance requirements to notify affected parties, and in some cases, the public more broadly. Some notification requirements include emails and website disclaimers for typical breaches and PR releases to local news broadcasts and notifications to relevant government officials for more significant ones.

While there are other rules, the core of the regulations is found in these three rules. However, a major update called the Omnibus Rule of 2013 introduced new and updated guidelines augmenting existing regulations to better protect data stored in modern digital systems. Most prominently, the Omnibus Rule expanded the accountability of implementation and management of regulations more comprehensively for BAs working with CEs.

While the Omnibus Rule includes a thorough breakdown of regulations that CEs and BAs must adhere to, there are some basic practices that organizations are expected to meet for technologies like secure file sharing:

1. Using proper encryption algorithms: PHI stored as digital data must be encrypted both at rest in a server and in transit during file transfers. These HIPAA encryption standards state that encryption must be able to protect against any reasonable attempt to break it, which means in practice that appropriate encryption algorithms include AES-128 or AES-256 for data at rest and TLS 1.2+ for data in transit.
2. Implementing audit logging: A key part of security is maintaining audit logs for access and system events. These logs are meant to support compliance across a system, provide evidence of compliance during audits, and support investigations into breaches as forensic evidence.
3. Business associate agreements (BAAs): If a CE uses a vendor-provided file-transfer solution (or any service that touches PHI), the CE must have a standing BAA with that vendor that outlines the responsibilities of the vendor as a business associate under HIPAA.
4. Physical and administrative protection: Under HIPAA, any CE or BA must also physically protect systems that contain PHI, which means securing data centers and computers, laptops, and mobile devices. This also means that these organizations have policies in place to protect this data, train employees, and manage risk. This applies to both primary CEs and any vendor providing a data-driven service.

Managed File Transfer and HIPAA

We’ve used the term “file transfer” loosely here, but it’s essential to specify how transfers can function in a healthcare setting.

When it comes to sharing files, all HIPAA rules apply. That means that any method used to share files must include appropriate protections like encryption, audit logs, and so on. Vanilla file-transfer solutions like SFTP, while providing encryption for secure file transfers, do not meet HIPAA requirements without significant configuration changes. This lack of compliance isn’t just a security issue: The core SFTP technology isn’t built to handle the logging and reporting aspects of HIPAA, nor is it capable of meeting enterprise demands for most businesses working in the healthcare industry.

Managed file transfer (MFT) solves many of the problems with basic file transfer and sharing by integrating configured SFTP or FTPS (or other HIPAA-compliant file-sharing technologies) alongside the analytics, reporting, auditing, and other functionality that satisfies both HIPAA regulations and business demands.

That being said, MFT comes in numerous flavors. Most managed file-transfer software solutions are baked into existing enterprise file-sharing products—more or less. Not all file-sharing solutions include everything an organization needs in an MFT.

Kiteworks Platform: Comprehensive MFT for HIPAA Compliance

No business should sacrifice features and flexibility for compliance. Kiteworks delivers the most comprehensive set of security and compliance capabilities, which includes HIPAA compliance, for MFT on the market. Kiteworks encrypts both sensitive data in transit and its storage on the server, provides comprehensive audit trail reporting, and delivers robust security protection. Security capabilities include geofencing, advanced threat protection, data loss prevention, and continuous data protection.

Some of the key features include:

• A CISO Dashboard provides comprehensive data access, user access, data trends and movement, and controls over data transfers.
• Seamless MFT automation and scheduling powers robust file sharing and transfer policies, including off-hours transfers and operations triggered by employee or patient activity.
• Secure email links protect PHI while maintaining easy and streamlined communication with patients via email.
• SIEM integration with popular platforms like IBM QRadar, ArcSight, FireEye Helix, and Splunk Forwarder provide organizations with a single pane of glass to view and manage security risks. Also, the integration standardizes audit logs into a single file format to support widespread SIEM consumption.
• DLP integration to scan all in-transit data to determine whether or not it contains sensitive or personal data.
• Disaster recovery with hot systems and multi-site data redundancy guarantee your systems stay up in case of an emergency.
• SIngle-tenant cloud environments that ensure that threats to other users will not spill over into your Kiteworks platform instance.
• Access controls overflows and connections to protect sensitive data from illicit access.
• Compliant encryption, including AES-256 for data at rest and TLS 1.2 encryption for data in transit.
• Large file transfer and storage with limits up to 16 TB.
• Detailed one-click HIPAA reports highlight risks in your security and governance policies. Use them in audits to quickly demonstrate compliance with your documented controls, such as DLP scanner integration, data access policies, domain whitelisting, and file expiration controls.
• Additional layers of protection are included for encryption keys using integration with a hardware security module (HSM) or Amazon Web Services Key Management Service (AWS KMS).

Organizations that deal with PHI managed file transfer—regardless of whether they are in the healthcare industry—must have the right governance and security controls and tracking in place to ensure compliance with HIPAA. To learn more about the robust MFT security and compliance capabilities in the Kiteworks platform, schedule a custom demo today.

Additional Resources

• Blog Post How to Handle the Aftermath of a HIPAA Breach
• Blog Post What Safeguards Are Required for HIPAA Compliance
• White Paper Your Guide to HIPAA Compliance and Sensitive Content Communications
• Blog Post HIPAA compliance
• Blog Post Top HIPAA-compliant Forms [Secure Solutions ]
• Blog Post HIPAA Encryption
• Blog Post HIPAA-Compliant Email
• White Paper HIPAA Breach [What It Is & How to Handle the Aftermath]