The Health Insurance Portability and Accountability Act or HIPAA lays down stipulations over the protection of sensitive data in the health care sector. This gives rise to the concept of HIPAA compliance. If you want to get business in the health sector, you need to ensure that you protect certain types of information held on your system.
HIPAA compliance isn’t necessary if you provide services to the healthcare industry. It is only concerned with Personally Identifiable Information (PIA) related to patients. Within HIPAA terminology, PII is known as PHI, which stands for “protected health information.” You might also see this referred to as ePHI, where the “e” denotes “electronic” and refers to digitally stored data. The HIPAA regulation extends to the healthcare insurance sector and there are many points of entry into the finance and implementation of healthcare that might involve PIA.
One more point to make about the need for HIPAA compliance is that it only relates to patients in the USA. If your business is engaged in the healthcare sector in any other part of the world, you don’t need to work within the HIPAA standards.
Here is our list of the seven best HIPAA compliant file sharing services:
- Serv-U Managed File Transfer Server EDITOR’S CHOICE A file distribution system that is fully HIPAA-compliant. This is an on-premises package that runs on Windows Server or Linux and comes with a 14-day free trial.
- Files.com A cloud-based storage and distribution system that can have productivity software added to it.
- Google Drive A HIPAA compliant file sharing system that has companion productivity tools included with it. This is a cloud-based system.
- ShareFile A cloud file storage system that can be integrated into an email system for easy, secure file distribution.
- Tresorit A cloud-based file store and collaboration system that is fully HIPAA compliant and is G-Cloud 9 approved.
- Accellion Kiteworks A HIPAA compliant file sharing system with options to use a hosted file storage service or take the software for installation on-premises or on a private cloud.
- FTP Today A cloud storage provider that offers HIPAA compliant file sharing in its Premium plan.
HIPAA file sharing
You don’t need HIPAA compliance for all of your file actions. However, singling out HIPAA-sensitive data to channel through one file sharing system and all other files through another would be a waste of time. Your HIPAA compliant file sharing system should be used for all of your data sharing work.
Beyond HIPAA requirements, you need a range of functions from a file sharing system. Cloud-based systems allow your team members to “send” files without actually moving them. Instead of attaching a file to an email, the sender includes a link in the email message. This enables the receiver to view the file without needing to make a copy. However, the option to let a recipient download the file should also be available.
File sharing services that create secure access by imposing encryption in the storage location protect files that might contain sensitive data from being accessed by outsiders. The file sharing mechanism should also keep a version history of the files, recording who made what changes to the document.
The most important features required in HIPAA compliant file sharing systems are that they allow control of access and track changes to documents.
The Best HIPAA compliant File Sharing Tools
In order to comply with HIPAA requirements when implementing file sharing, the managing application must include certain security and logging measures.
We took these requirements into account when looking for the best HIPAA compliant file sharing tools and came up with the following selection criteria:
- Uses unique user IDs to identify each accessor to documents with changes traceable to the accessor.
- Allows control over which user accesses each document and offers different levels of access rights.
- Protects files from tampering or illegal access through encryption at rest and during transmission and access security, preferably with an option for 2FA.
- Version control with backups that enable earlier versions to be recovered.
- The provider of the service is willing to provide a signed Business Association Agreement.
- Free version or free trial for a no-cost assessment.
- A price level that offers good value with respect to the level of functionality provided.
With these requirements in mind, we assessed the major file sharing services on the market today for suitability. When approaching the concept of “file sharing” there are actually two different strategies to cover. One is a collaboration suite that allows different people to edit the same document and the other is a file distribution system that doesn’t include a common editing function. We decided to explore both of these angles.
Serv-U is a specialist file transfer system that creates a secure environment for frequent file sharing. This software provider has ensured that its file transfer system checks all of the boxes to be HIPAA compliant.
This is an on-premises software package, which bucks the trend of moving everything to the cloud. Not everyone is comfortable with cloud services, especially where sensitive data is concerned. If you are particularly tasked with providing a file sharing system that is overwhelmingly for internal use then the logic of deploying a cloud service diminishes.
Serv-U Managed File Transfer Server (MFT) is positioned to cater to a number of compliance requirements. As well as HIPAA, it is compliant with PCI DSS and SOX. First of all, this is a secure file transfer system that offers an option of protocol, including FTPS, SFTP, and HTTPS. The system is able to transfer files to mobile devices as well as to desktops and servers. The system also logs all file movements, which provides essential documentation for compliance auditing.
The Serv-U MFT software is available for Windows Server and Linux. It includes an attractive browser-based administration console and full file movement tracking. You can try the system out without risk on a 14-day free trial.
Serv-U Managed File Transfer Server is our top pick for a HIPAA compliant file sharing tool because it offers maximum control over where copies of files go and protects all transmissions. This is an on-premises solution that is ideal for system managers who feel uncomfortable about contracting out file management services or storing sensitive data on third-party cloud servers. As storage of the files remains in-house, there is no need for a BAA (Business Associate Agreement) with the software provider.
Get a 14-day free trial: serv-u.com/serv-u-managed-file-transfer-server/registration
Operating system: Windows Server or Linux
Files.com is a cloud-based file distribution service, which operates as a HIPAA compliant file sharing system. Users move their files to the Files.com account and then send links to recipients instead of the actual file. Permissions on the file can be set up to allow access for reading or downloading.
Reading a file in a browser requires the text to be transferred. However, this process is protected by HTTPS security. Downloads are also carried out over encrypted connections. You can also apply 2FA to all user accounts.
File storage space is fully encrypted and access to it requires user credentials. Each action on a file is recorded, noting the user account and a time stamp. Files.com is willing to provide a signed BAA to customers who follow the HIPAA standards.
The Files.com service can be used for instant backup of folders and syncing, allowing specific folders to be constantly available on the cloud in an up-to-date state.
The Files.com service is charged for by subscription. The rate is calculated on a combination of the number of user accounts needed with an allocation of 1,000 GB for the entire multi-user account. It is possible to add connectivity through well-known cloud storage providers for backup and syncing. It is also possible to integrate the service with productivity suites, such as Google Workspace, and collaboration environments, such as Slack. You can get a Files.com account on a 7-day free trial.
Google Drive is available for free with 15 GB of space for each user. However, a HIPAA compliant file sharing system requires a central administration of all user accounts and you need to subscribe to a business package in order to get that.
Google Drive is included in Google Workspace (the new name for G-Suite). So, effectively, it isn’t possible to subscribe to just Google Drive because Google gives the productivity tools to all Google Drive customers for free.
The Workspace editor facilities and Google Drive itself have excellent version control functions, recording every alteration to a file and storing previous versions that can be brought back to the current version at any time.
Users share files by passing on a link. The sender can choose to set access rights for each user, allowing read-only access or full editing rights. It is also possible to allow or block downloading. The storage space is protected by encrypting as a transfer for viewing or downloading.
The cherry on the top for HIPAA compliance is that Google will provide a signed BAA for its business plan subscribers.
Citrix ShareFile is a cloud-based file storage service that has the right features to classify it as a HIPAA compliant file sharing system.
ShareFile integrates easily with email systems and the mechanism to grant individual access to a document involves adding that person’s email address to a list of authorized viewers. There is an Outlook plug-in for ShareFile that makes integration easy.
Each user that accesses your ShareFile storage area needs to be given an individual account, which creates the accountability needed for HIPAA. The file space and transfers are protected by AES-256 encryption and users need to use a ShareFile app on the accessing device, which ensures end-to-end security and also allows device-linked 2FA.
Actions on files are all logged and ShareFile also offers an eSignature facility that creates legally binding agreements. Citrix will also provide a signed BAA. You can try the ShareFile system on a 30-day free trial.
Tresorit is a HIPAA compliant file sharing cloud-based service that is G-Cloud 9 approved. This tool takes a slightly different approach to file security. It encrypts each file on the user’s device before it is transferred to the cloud storage space. This gives the files stored on the system individual protection rather than just account-wide encryption – which is applied additionally.
Once a file is on the Tresorit server, it can be accessed through any standard browser or the Tresorit apps for mobile devices. That file is permanently encrypted before it even gets onto the server. However, all transfers to devices for reading are also protected with additional encryption. Device identification provides a 2FA step and it is possible to block access from previously approved devices.
The standard way to share a file is to send the recipient a link to view the file in its Tresorit location rather than mailing it as an attachment. Permissions can be time-limited and they can also be permanently withdrawn. Users can be granted read-only access or editing rights. It is also possible to block downloads. All access events are logged.
Tresorit provides a BAA to its business customers and you can test the system on a 14-day free trial.
Accellion Kiteworks is termed a “content firewall.” It is a cloud platform that offers a range of data security services, including a HIPAA compliant file sharing system.
Kiteworks used a 256-bit AES cipher for file protection both in the storage drive and during transfers. The Kiteworks system has ISO 27001 certification and is validated to the FIPS 140-2 Level 1. Both the file owner and administrator receive notification of any access events on files and these all get logged in a central audit file.
The Kiteworks system offers shared folders for group use and private spaces for each user. Users are individually identified by user accounts and all file actions are logged. There is also a collaboration feature attached to the file viewers, which enables authorized accessors to communicate ideas about the content through commenting and messaging.
The administrator can choose to impose automatic watermarking on all files held in the system or the file owner can apply that per file on demand. The owner can also decide on the level of access that should be allowed to collaborators. And each downloaded version can be stamped for identification to aid data leak investigations.
Files held on Kiteworks can be accessed through an app or through a plug-in that integrates the file system with Microsoft 365 components, including Outlook.
Kiteworks is charged per user per month. Accellion offers a BAA for those customers that use the hosted service. There are also options to get the file management software and host it privately on-premises or on a cloud server. You can get a demo to examine the system.
FTP Today is a cloud-based secure file storage system that offers a number of plans. You need to get its Premium plan to ensure that you have a HIPAA compliant file sharing system. Although all of the FTP Today plans are secure and offer many features, the company only offers a signed BAA for HIPAA to its Premium plan customers.
The Premium plan of FTP Today adds on more access controls to the file storage accounts, which are already very secure. Those extra features include IP address restrictions to ensure that only authorized devices can access the file space plus multi-factor authentication. The Premium plan allows unlimited user accounts and access rights can be integrated into your Single Sign-On environment.
The Premium account gets 50 GB of storage space, which can be extended. That file space is protected by encryption and there is a choice of file transfer methods that can be used that includes SFTP, FTPS, FTPES, and SCP. The service uses 2048-bit RSA encryption for transfers and 128-bit AES encryption in the storage area.
The system comes with its own apps for user devices and these can be white-labeled for use by managed service providers. On the cloud, the file space is protected by a managed intrusion detection system that includes hacker blacklisting for extra protection. It is also possible to impose geo-fencing that automatically blocks access to users when they are outside of the USA.
The FTP Today system is certified under ISO 27001 and its data centers are SSAE18 SOC2 audited. It is possible to see a live demo version of the system. FTP Today is also available for a 14-day free trial but you have to contact the Sales Department to request it.