Need to share medical files with another practitioner or with consented parties for research purposes? Sharing them online (through the cloud or otherwise) would be a great idea! But you would want to make sure you are using a HIPAA-compliant file-sharing solution.
Why?
Well, according to a hipaajournal.com, 3,705 healthcare data breaches of more than 500 records have been reported to the HHS' Office for Civil Rights between 2009 and 2020.
Adding on to it, the average cost per breach in 2020 was recorded at $499.
One thing's for sure. Health care data breaches could be a costly affair!
To help your healthcare organization securely share patient health information (PHI), in this article we will go over 5 HIPAA compliant file sharing solutions.
But before we get to these solutions, a little bit of recap on HIPAA.
HIPAA (Health Insurance Portability and Accountability Act) is a law in the United States that was formulated to protect Patient Health Information (PHI).
The HIPAA law comprises of 5 rules:
Security Rule
Privacy Rule
Breach Notification Rule
Omnibus Rule
Enforcement Rule
Within these rules, the security rule is broken down into 3 levels; technical safeguards, physical safeguards and administrative safeguards.
When we talk about file-sharing systems, it's these technical safeguards that we need to look into. The technical safeguards under HIPAA are a list of features that the system needs to have in order for it to be compliant.
The infographic below summarizes what these features are:
If a file-sharing system meets these capabilities, it's called being HIPAA-ready. You also would want to make sure the system uses a HIPAA-compliant cloud data center to store your files, once they are uploaded.
All of the platforms compared below are evaluated based on their readiness for HIPAA. Beyond that, as a healthcare provider, it's your responsibility to make sure these platforms are deployed in a HIPAA-compliant data center.
Read More: HIPAA Compliant vs. HIPAA Ready
VIDIZMO offers a HIPAA-compliant video platform that is optimized for sharing of digital media. The company has 20 years of experience in the video industry, and this is where its expertise lies.
It offers something very similar to private YouTube, where recipients can easily view shared videos through the browser without having to download them.
At the same time, it's HIPAA-ready with advanced sharing features such as IP restrictions, multiple tokenized links per video that can be expired, and limited-time viewing where recipients can only view once, twice, etc.
Share with internal authenticated users (SSO/IAM or otherwise) or external users.
Detailed access controls and permissions
Custom login timeout
Restrict recipients from being able to download files or share ahead.
Unlike most platforms that offer a single link for a single file for sharing, VIDIZMO allows you to generate multiple links for a single file.
All URLs generated for sharing are tokenized. This way, you can expire any link if you need to revoke access from a recipient (manually or trigger workflow).
You can restrict access to specific IP addresses, to make sure only people within certain organization(s) can access the content.
It offers limited sharing, where you can specify the number of views recipients get for files or the time period between which they can access them.
It also offers guest sharing, where you can specify an email address, which will have to temporarily log in to view content.
All actions performed on the platform can be viewed under a single audit log report.
Flag files to receive notifications of all actions performed on them.
The file viewing experience is modern and optimized for rich digital media.
Recipients can also add comments to files and timed comments to video files.
The solution can be deployed in an on-premise cloud.
OneDrive is a file-sharing system that is included along with an Office365 subscription. It offers a number of features to help share PHI securely.
OneDrive uses Microsoft Cloud infrastructure, and your healthcare organization can enter into a business associate agreement with Microsoft for HIPAA compliance.
You can share a file through means of a link. You also have the option to set an expiration date on these links to revoke access.
You can specify an IP address to which you want to restrict access to files.
However, you can't edit what users can do once they have access to content. This can put PHI at risk of a breach if the recipient can't be trusted not to share it ahead. This risk is minimized if you have IP restrictions in place.
OneDrive does not allow you to generate multiple links per single file, which creates an issue if you have multiple recipients.
Moreover, the links used in sharing are not tokenized, which makes it difficult to revoke access selectively.
Recipients can add comments to files. However, it does not have an option for adding timed comments, which is required for video files.
OneDrive does lack certain key features that are offered by other platforms, like:
Access management
Use of artificial intelligence services
Digital file editor
Assigning custom attributes
Add Annotations
Integration with other IT systems
File size restrictions
Limited offline access
To learn more, do read our article on the limitations of OneDrive.
Now known as Kiteworks, this is a solution for storing and sharing files in its highly secure cloud. Its security is evident from the fact that it's available on the FedRAMP marketplace.
Kiteworks offers a solution that is great for sharing documents securely. You have top-notch security features like end-to-end encryption, permissions, watermarking and more.
However, access and playback to digital media (such as audio and video files) is not the best in Kiteworks.
Define permissions for all share files; watermark view only, downloads, edit, or re-upload rights.
Set a time period for content expiry.
View detailed audit log reports for files and activity in the application.
Receive notifications of actions performed on files.
It does not, however, offer redaction capabilities that may be required to protect PHI.
Video and audio files are not optimized for playback, and users may experience compatibility issues on certain devices.
Google Workspace provides a range of tools to help teams collaborate on files. These can also be secured to meet HIPAA compliance and be used by healthcare organizations.
Google Workspace offers tools for email, and collaboration on documents and digital files. The primary application for sharing files is Google Drive.
Do check out the HIPAA compliance implementation guide from Google. Also, check out information on Google's Business Associate Agreement (BAA) here.
You can view detailed reports and logs of all actions performed on files using the admin console.
Secure through multi-factor authentication and several security protocols for files security at rest and in transit.
Admins can set default sharing settings for all users in the organization.
Define permissions on share files as to whether recipients can view, collaborate, download, etc.
You can set up 2-step verification to reduce the risk of unauthorized access to PHI.
Box provides a file-sharing platform that is used by government and healthcare organizations for its security features.
Box stores content in its secure cloud data centers and offers a range of applications with top-notch security features to protect such data.
End-to-end encryption based on FIPS 140-2 standards.
Secure authentication using SSO and MFA support.
Integrations with Google Workspace, Office365 and other applications to ingest and centrally store content.
Audit trails for all actions performed within the application.
Does not offer an on-premise deployment option for its applications.
We discussed a list of important features to look for in a platform in order for it to be considered HIPAA-ready. We then looked at 5 different platforms, each specializing in its own niche.
If you are looking for a file-sharing platform that specializes in digital media, then do check out our platform, VIDIZMO.
VIDIZMO is used in healthcare organizations where extensive amounts of video data are stored and shared. Consider the case of sharing patient videos for research purposes. Here, our platform helps by first allowing you to redact PHI and then share them conveniently.
The playback is similar to YouTube, which ensures swift access and collaboration, on a range of devices.