Need to share medical files with another practitioner or with consented parties for research purposes? Sharing them online (through the cloud or otherwise) would be a great idea! But you would want to make sure you are using a HIPAA-compliant file-sharing solution.
Well, according to a hipaajournal.com, 3,705 healthcare data breaches of more than 500 records have been reported to the HHS' Office for Civil Rights between 2009 and 2020.
Adding on to it, the average cost per breach in 2020 was recorded at $499.
One thing's for sure. Health care data breaches could be a costly affair!
To help your healthcare organization securely share patient health information (PHI), in this article we will go over 5 HIPAA compliant file sharing solutions.
But before we get to these solutions, a little bit of recap on HIPAA.
File Sharing Systems and HIPAA Compliance
HIPAA (Health Insurance Portability and Accountability Act) is a law in the United States that was formulated to protect Patient Health Information (PHI).
The HIPAA law comprises of 5 rules:
- Security Rule
- Privacy Rule
- Breach Notification Rule
- Omnibus Rule
- Enforcement Rule
Within these rules, the security rule is broken down into 3 levels; technical safeguards, physical safeguards and administrative safeguards.
When we talk about file-sharing systems, it's these technical safeguards that we need to look into. The technical safeguards under HIPAA are a list of features that the system needs to have in order for it to be compliant.
The infographic below summarizes what these features are:
If a file-sharing system meets these capabilities, it's called as being HIPAA-ready. You also would want to make sure the system uses a HIPAA compliant cloud data center to store your files, once they are uploaded.
All of the platforms compared below are evaluated based on their readiness for HIPAA. Beyond that, as a healthcare provider, it's your responsibility to make sure these platforms are deployed in a HIPAA-compliant datacenter.
Read More: HIPAA Compliant vs. HIPAA Ready
5 Solutions for HIPAA Compliant File Sharing
It offers something very similar to a private YouTube, where recipients can easily view shared videos through the browser without having to download them.
At the same time, it's HIPAA-ready with advanced sharing features such as IP restrictions, multiple tokenized links per video that can be expired, and limited-time viewing where recipients can only view once, twice, etc.
- Share with internal authenticated users (SSO/IAM users or otherwise) or with external users.
- Restrict recipients from being able to download files or share ahead.
- Unlike most platforms that offer a single link for a single file for sharing, VIDIZMO allows you to generate multiple links for a single file.
- All URLs generated for sharing are tokenized. This way, you can expire any link if you need to revoke access from a recipient (manually or trigger workflow).
- You can restrict access to specific IP addresses, to make sure only people within certain organization(s) can access the content.
- It offers limited sharing, where you can specify the number of views recipients get for files or the time period between which they can access them.
- It also offers guest sharing, where you can specify an email address, which will have to temporarily log in to view content.
- All actions performed on the platform can be viewed under a single audit log report.
- Flag files to receive notifications of all actions performed on them.
- The file viewing experience is modern and optimized for rich digital media.
- Recipients can also add comments to files and timed comments to video files.
- The solution can be deployed in an on-premise cloud.
- The solution can be deployed in Azure or AWS, with whom your healthcare organization can enter into a business agreement with.
OneDrive is a file-sharing system that is included along with an Office365 subscription. It offers a number of features to help share PHI securely.
OneDrive uses Microsoft Cloud infrastructure, and your healthcare organization can enter into a business associate agreement with Microsoft for HIPAA compliance.
- You can share a file through means of a link. You also have the option to set an expiration date on these links to revoke access.
- You can specify an IP address to which you want to restrict access to files.
- However, you can't edit what users can do once they have access to content. This can put PHI at risk of a breach if the recipient can't be trusted to not share it ahead. This risk is minimized if you have IP restrictions in place.
- OneDrive does not allow you to generate multiple links per single file, which creates an issue if you have multiple recipients.
- Moreover, the links used in sharing are not tokenized, which makes it difficult to revoke access selectively.
- Recipients can add comments to files. However, it does not have an option for adding timed comments, which is required for video files.
OneDrive does lack certain key features that are offered by other platforms. To learn more, do read our article on the limitations of OneDrive.
Kiteworks offers a solution that is great for sharing documents securely. You have top-notch security features like end-to-end encryption, permissions, watermarking and more.
However, access and playback to digital media (such as audio and video files) is not the best in Kiteworks.
- Define permissions for all share files; watermark view only, downloads, edit, or re-upload rights.
- Set time period for content expiry.
- View detailed audit log reports for files and activity in the application.
- Receive notifications of actions performed on files.
- It does not, however, offer redaction capabilities that may be required to protect PHI.
- Video and audio files are not optimized for playback, and users may experience compatibility issues on certain devices.
Google Workspace provides a range of tools to help teams collaborate on files. These can also be secured to meet HIPAA compliance and be used by healthcare organizations.
Google Workspace offers tools for email, and collaboration on documents and digital files. The primary application for sharing files is Google Drive.
- You can view detailed reports and logs of all actions performed on files using the admin console.
- Admins can set default sharing settings for all users in the organization.
- Define permissions on share files as to whether recipients can view, collaborate, download, etc.
- You can set up 2-step verification to reduce the risk of unauthorized access to PHI.
Box provides a file-sharing platform that is used by government and healthcare organizations for its security features.
Box stores content in its secure cloud data centers and offers a range of applications with top-notch security features to protect such data.
- End-to-end encryption based on FIPS 140-2 standards.
- Secure authentication using SSO and MFA support.
- Integrations with Google Workspace, Office365 and other applications to ingest and centrally store content.
- Audit trails for all actions performed within the application.
- Does not offer an on-premise deployment option for its applications.
Summing it Up
We discussed a list of important features to look for in a platform in order for it to be considered HIPAA-ready. We then looked at 5 different platforms, each of which specializes in its own niche.
If you are looking for a file-sharing platform that specializes in digital media, then do check out our platform VIDIZMO.
VIDIZMO is used in healthcare organizations where extensive amounts of video data are being stored and shared. Consider the case of sharing patient videos for research purposes. Here, our platform helps by first allowing you to redact PHI and then share them conveniently.
The playback is similar to YouTube, which ensures swift access and collaboration, on a range of devices.