HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Citrix ShareFile HIPAA Compliant?

ShareFile was bought by Citrix Systems in 2011 and the platform is marketed as a suitable data sync, file sharing, and collaboration tool for the healthcare industry, but is Citrix ShareFile HIPAA compliant?

What is Citrix ShareFile?

Citrix ShareFile is a secure file sharing, data storage and collaboration tool that allows large files to be easily shared within a company, with remote workers, and with external partners. The solution allows any authorized individual to instantly access stored documents via desktops and mobile devices.

For healthcare organizations this means the solution can be used to share large files such as DICOM images with researchers, remote healthcare workers, and business associates. The ShareFile patient portal can also be used to share PHI with patients.

Is Citrix ShareFile HIPAA Compliant?

Citrix will sign a business associate agreement with HIPAA covered entities and their business associates that covers the use of FileShare, although it is the responsibility of the covered entity to ensure that the solution is configured correctly and is used in a manner that does not violate HIPAA Rules.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The solution satisfies HIPAA requirements for data security, with appropriate access and authentication controls. Users connect to the solution via an encrypted secure SSL/TLS connection and data is protected at rest with AES 256-bit encryption. The solution also supports encryption on mobile devices. An audit trail is maintained with access logs recording who accessed files, when, and for how long and application errors and events are also logged.

So is Citrix ShareFile HIPAA compliant? The safeguards incorporated into the solution mean the solution does supports HIPAA compliance.

Where HIPAA Covered Entities Must Exercise Caution

Many firms advertise their platforms and software as HIPAA compliant, but that does not mean use does not carry risks. Software solution providers can only build in security and administrative controls that allow their solution to be used in a HIPAA compliant manner. It is the responsibility of users to make sure the solution is configured correctly and HIPAA Rules are not violated.

To avoid HIPAA violations:

  • Ensure a business associate agreement has been obtained prior to the solution being used for storing, syncing, or sharing ePHI
  • Covered entities must perform a risk analysis to determine any potential risks to the confidentiality, integrity, and availability of PHI
  • Ensure encryption is used when sending files to third parties
  • Policies and procedures (administrative safeguards) must be developed covering the use of the solution and staff must be trained
  • Access and authentication controls must be set to restrict access to PHI to only those individuals who are authorized to access information
  • Any PHI shared with third parties must be limited to the minimum necessary data for tasks to be performed
  • Appropriate security controls should be implemented on devices to ensure that in case of theft or loss, the devices cannot be used to gain access to PHI

Citrix offers guidance for covered entities on aspects of HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA compliance while using the platform. The information can be accessed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.