Share this article on:
HIPAA compliant file sharing consists of more than selecting the right technology to ensure the security, integrity and confidentiality of PHI at rest or in transit. Indeed, you could implement the most HIPAA compliant file sharing technology available and still be a long way short of achieving HIPAA compliance.
It is not the technology that is at fault. Many Covered Entities and Business Associates fail to configure the technology properly or train employees how to use the technology in compliance with HIPAA. According to a recent IBM X-Force Threat Intelligence Report, 46% of data breaches in the healthcare industry are attributable to “inadvertent actors”.
Of the remaining 54% of data breaches in the healthcare industry, 29% are attributable to “outsiders”, while the remaining 25% are the work of “malicious insiders”. Therefore, if a Covered Entity implements HIPAA compliant file sharing technology, but fails to configure it properly, train employees how to use it compliantly, or introduce mechanisms to monitor access to PHI, it may only be 29% of the way towards achieving HIPAA compliance.
Understanding the Risks to PHI when Sharing Data
In order to fully understand the risks to PHI when sharing data, it is important to conduct a thorough risk assessment detailing how PHI is created, used, stored and shared – and what happens to the data once it has been shared. When the risk assessment is completed, it is necessary to conduct a risk analysis to identify vulnerabilities and weaknesses that could result in the unauthorized disclosure of PHI.
Part of the risk analysis should concern what happens to data shared with Business Associates. Business Associates should conduct their own risk assessments and risk analyses, and it is a HIPAA Security Officer´s duty to conduct due diligence on any Business Associate data is shared with, in order to ensure their file sharing procedures are also HIPAA compliant.
HIPAA Compliant File Sharing Exists Outside the Cloud
Most articles relating to file sharing and HIPAA compliance focus on the technology available to share files securely in the cloud. Although these articles provide valuable information about one specific area of sharing data, they do not address the subject of HIPAA compliant file sharing in its entirety – for example, when data is shared within a private network or in physical format.
As well as evaluating cloud-based technology for HIPAA compliant file sharing, HIPAA Security Officers should also consider access controls to files and folders stored on private networks and access logs to monitor when PHI is accessed – both online and in physical format. Done effectively, this should help prevent the #1 cause of HIPAA security breaches – employee snooping.
Explaining File Sharing and HIPAA Compliance to Employees
Employee snooping – viewing the healthcare records of family, friends, colleagues or personalities without authorization – may not result in headline data breaches, but it is a HIPAA violation – and a common one at that. However, without being told it is a violation, many employees would consider snooping no more than a misdemeanor with inquisitive intent.
Explaining that snooping is a HIPAA violation punishable by sanctions is a good foundation for explaining file sharing and HIPAA compliance to employees. It will help them better understand the seriousness of unauthorized disclosures of PHI and make them more careful about taking shortcuts “to get the job done” – a leading cause of data breaches in the healthcare industry attributable to “inadvertent actors”.
Train, Monitor, Sanction when Necessary, then Review
Whenever new HIPAA-related technology is introduced or working practices are changed, it is essential employees are provided with adequate training on the new technology or working practices. By using employee HIPAA training sessions to reinforce the message about file sharing and HIPAA compliance, the message will likely be better absorbed.
If the Covered Entity is able to support employee training with mechanisms to monitor access to PHI, and the enforcement of sanctions when necessary, the likelihood is “malicious insiders” will likely think twice before attempting to access PHI without authorization. Thereafter, HIPAA Security Officers should review policies and procedures to assess whether any further adjustments need to be made in order to ensure HIPAA compliant file sharing.