Is WeTransfer HIPAA Compliant?
WeTransfer is not HIPAA compliant and cannot be used to upload and send or receive files that include Protected Health Information – even if the service is used inside a HIPAA compliant file sharing service. However, there are several HIPAA-compliant alternatives to WeTransfer that organizations can use to securely transmit large files – albeit not so quickly, and not for free.
WeTransfer is a file sharing service that is popular with individuals and organizations for its fast photo and video file sharing capabilities. In the healthcare industry, these capabilities would be particularly useful for sharing high resolution images between healthcare providers in order to facilitate collaboration, accelerate diagnoses, and support medical training
One of the reasons for WeTransfer being so popular is that the service has excellent security features. These include two-factor authentication, encryption in transit and at rest, and password-protected access. In addition, WeTransfer is a Dutch company that complies with Dutch data protection laws and the GDPR. It is also ISO/IEC 27001 certified.
Is WeTransfer HIPAA Compliant?
Despite its security features and ISO/IEC 27001 certification, We Transfer is not HIPAA compliant. WeTransfer states on its website that it has chosen to implement the same security and privacy rules globally because “it has proven to be quite difficult to make exceptions on a country level”. Consequently, WeTransfer will not enter into a HIPAA Business Associate Agreement with healthcare customers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A comparison of WeTransfer’s security features against the HIPAA compliance requirements identifies potential gaps in the Administrative and Physical Safeguards of the HIPAA Security Rule. For example, there is no mention of WeTransfer’s Security Management Process (§164.308(a)(1)) nor any Device and Media Controls (§164.310(d)(1)). However, this does not mean these safeguards do not exist.
With regards to ways in which it may be possible to make WeTransfer HIPAA compliant, some online sources ask whether it is possible to deploy WeTransfer inside a HIPAA-compliant file sharing service such as Dropbox. It is possible to deploy WeTransfer inside Dropbox but, as any files transferred between Dropbox users would travel via WeTransfer’s servers, this would not make WeTransfer HIPAA compliant.
HIPAA Compliant Alternatives to WeTransfer
There are several HIPAA compliant alternatives to WeTransfer. None are as fast as WeTransfer, and all have limits on the size of files that can be transferred and/or the total amount of storage available per user. In addition, none of the HIPAA compliant alternatives to WeTransfer offer a free option. For example, healthcare organization that wish to share PHI via Google Drive must subscribe to a Google Workspace Enterprise Plan.
Healthcare organizations that require a HIPAA compliant file sharing service for larger files are advised to review the size of files they wish to upload and transfer, and the total amount of storage required per user. In some cases, it may be possible to negotiate larger file upload and transfer sizes with a company that already offers unlimited storage per user (i.e., Box). The actual file sizes required may determine whether a HIPAA compliant alternative to WeTransfer is able to accommodate the requirements.
