HIPAA data compliance for file transfers

HIPAA data has some of the strictest requirements of any kind of data due to the sensitivity of the personal information involved. As a result, there are additional conditions that must be met for HIPAA data compliance for file transfers.  

One of the biggest challenges of working with HIPAA data is that there are no specific standards to meet but rather, a set of general guidelines to adhere to. In order to meet all of these guidelines for services like file transfers, it’s helpful to understand why HIPAA was created, the kind of health data that falls under these stricter requirements, and how to be compliant with HIPAA when transferring files. 

Why was HIPAA created?

HIPAA traces back several decades and stands for the Health Insurance Portability Act of 1996. It was designed to expand insurance coverage for healthcare in the United States and increase protections for Protected Health Information (PHI). 

When healthcare companies started transitioning to Electronic Health Records, it significantly simplified sending and receiving patient records. However, it also came with increased risk, as entire databases of health information could be intercepted by bad actors. 

As a result, the HITECH Act was signed into law in 2009, with the goal to encourage technological advancements in healthcare. HITECH also specifies how secure data transfer for HIPAA data should be handled. 

Health data vs HIPAA data

A common misconception is that all data related to healthcare is HIPAA data. However, HIPAA only refers to a specific subset of data known as Protected Health Information (PHI). PHI includes 18 identifiers that can be traced to a specific individual, and according to HHS.gov these are:

1. Names
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
        a. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
        b. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Vehicle identifiers and serial numbers, including license plate numbers
6. Fax numbers
7. Device identifiers and serial numbers
8. Email addresses
9. Web Universal Resource Locators (URLs)
10. Social security numbers
11. Internet Protocol (IP) addresses
12. Medical record numbers
13. Biometric identifiers, including finger and voice prints
14. Health plan beneficiary numbers
15. Full-face photographs and any comparable images
16. Account numbers
17. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section [Paragraph (c) is presented below in the section “Re-identification”]; and
18. Certificate/license numbers

Health Data

From the list of 18 identifiers, it might appear like practically all health information will contain at least one of these. However, the important part is that the health information can be traced back to a specific individual. 

Without these identifiers, health information can be shared without falling under HIPAA rules. So while information about “John Smith, Male, 56 with Bowel Cancer” must be compliant with HIPAA, information about  “a 56-year old male with Bowel Cancer” does not—as long as nothing in the data can identify John Smith. 

If it’s uncertain whether or not the data must adhere to HIPAA, the safest option is to act like it does to avoid any fees or penalties, as all parties involved with HIPAA data are responsible for protecting it. 

All parties are responsible for protecting HIPAA data

Because health information is so sensitive and private, HIPAA requires that all parties involved are responsible for protecting the data. This includes health organizations like hospitals, clinics, and insurance as well as companies like Dropbox or cloud service providers like Couchdrop for transferring HIPAA files to the Dropbox account. 

How to be HIPAA compliant for file transfers

Currently, there is no specific HIPAA standard to meet for file transfers. Instead, there are a number of areas that must meet satisfactory results for HIPAA. Often, this requires having an auditor specializing in HIPAA data check to ensure security, processes, and protocols are at an acceptable level. All involved parties will also need to sign a Business Associate Agreement (BAA) outlining their responsibilities. 

Preparing to be HIPAA compliant

Before handling HIPAA data, there are a few important steps to make. Since there is no official HIPAA compliance standard, involved parties must have reasonable safeguards, policies, and procedures in place with regard to HIPAA data. This article on HIPAA minimum requirements gives an overview of requirements that companies that provide file transfers for HIPAA or other services must meet to be eligible to work with PHI. 

Business Associate Agreements

A business associate agreement is a contract between all involved parties that specifies each party’s responsibilities for safeguarding HIPAA data. This is required to legally work with HIPAA data for any organization involved. 

For example, suppose a healthcare company worked with an IT company to transfer files, and that IT company uses an MFT platform like Couchdrop to transfer files into SharePoint. The healthcare company, the IT company, Couchdrop, and Microsoft all need to have a BAA that outlines their responsibilities, including steps they will take if a data breach happens. 

Reporting Breaches

If there is a data breach with HIPAA data, involved parties are required to notify affected individuals within 60 days of the breach. If the files are transferred through a system–even if the system never stores the data like is the case with Couchdrop–the business associate is still required to notify affected individuals.

If the breach affects over 500 individuals, all organizations must also provide a media notice and a notice to the Secretary by filling out a breach report on the HHS website. For more details on data breaches with HIPAA, see the Breach Notification Rule. 

Couchdrop and HIPAA compliance for file transfers

At Couchdrop, our infrastructure and security meet HIPAA standards, and we have a dedicated HIPAA-compliant architecture for customers working with PHI. The dedicated HIPAA architecture adds additional safeguards to our already robust infrastructure such as isolating data to the United States at all times. 

Couchdrop includes a BAA for all HIPAA customers outlining file transfer protocols and procedures as well as Couchdrop’s responsibilities for data privacy and security. For more information on how Couchdrop works with HIPAA data, you can download our HIPAA white paper by clicking the button below. 

Try Couchdrop with a free 14-day trial

To find out more about Couchdrop’s features like file transfer automations, see our website. You can also try Couchdrop free for 14 days without a credit card or feature restrictions to evaluate if the platform will suit your needs. Sign up for your free trial today to get started.