If you haven’t heard, St. Elizabeth’s Medical Center recently agreed to pay a $218,400 settlement to HHS for HIPAA violations, in addition to implementing a “Corrective Action Plan”. One of the concerns addressed in the Corrective Action Plan was “the use of an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals”. It’s not a stretch to suggest that St. Elizabeth’s was using Dropbox, by far the most popular file-sharing application, and one that is not HIPAA compliant.
This article is not meant as a general criticism of Dropbox. I am a paid user and I love it. It’s just not acceptable for the storage or sharing of ePHI, something even the company will admit (evidenced by the omission of HIPAA from this list). Therefore, this Q&A is an opportunity to explore the HIPAA concerns about file-sharing software, how to go about file-sharing in a HIPAA compliant way, and possible alternative systems.
Q: What are file-sharing services?
A: File-sharing services are internet or cloud-based services that provide a simple way to store and share files online and to sync files between multiple computers. Dropbox is the oldest of the services and by far the most popular.
Q: Are file-sharing services allowed under HIPAA regulations?
A: Yes, they are allowed. There’s nothing in the HIPAA rules forbidding the use of internet or cloud based services in general and file-sharing services in particular. However, there are a number of things that people need to be aware of before they select and choose to move forward with a file-sharing service.
Q: What are the key considerations when choosing a file-sharing service?
A: First, the file-sharing service must be willing to sign a Business Associate’s Agreement (BAA). This is a written contract between a covered entity and a vendor in which the vendor contractually agrees to comply with HIPAA Security rules (and some of the Privacy rules). A BAA is required for all vendors who access, view, transmit or store ePHI. This is the first strike against using Dropbox, as they will not sign a BAA.
Second, you need to consider and document the potential risks of using a file-sharing service consistent with the Evaluation Standard (§ 164.308(a)(8)) and the Risk Analysis implementation specification of the HIPAA Security rules. This evaluation should inform the decision to implement a file-sharing service.
After having considered the risks, covered entities should mitigate risks associated with the use of the service to a reasonable level.
Q: Can I make my file-sharing software HIPAA compliant by adjusting the software’s settings, for example?
A: You cannot make a file-sharing service HIPAA compliant if they are unwilling to sign a business associates’ agreement, even if the vendor encrypted all ePHI. There are vendors claiming to make Dropbox compliant. One such vendor, Sookasa, states:
“Sookasa enables users to enjoy the convenience of Dropbox and Google Drive while enabling compliance with HIPAA”
NO! This is NOT possible. While Sookasa does apparently solve some technical deficiences with how Dropbox stores data (encrypting header data, etc.), no amount of encryption can make a vendor who is storing or transmitting ePHI compliant if they are unwilling to sign a BAA. Sookasa may be a great idea to generally improve the security of data, but its use cannot make a Dropbox deployment HIPAA compliant. Dropbox will not be HIPAA compliant until the actual holder of the data is willing to sign a BAA.
Q: What features should I look for in a file-sharing service?
A: As already emphasized, first and foremost, the vendor needs to be willing to sign a business associates’ agreement. Box.com has been a market leader in providing HIPAA-compliant file-sharing and storage and was the first major vendor to agree to sign a BAA. In addition, Box.com has built in many features related to authentication, auditing, and monitoring that make them a front-runner among HIPAA compliant file-sharing services for healthcare. In addition, they have excellent integration with Active Directory to facilitate the central management of security policies and controls within the solution.
Google Drive became a HIPAA compliant file-sharing service when Google finally agreed that it would sign BAAs. However, covered entities who wish to use Google Drive must have an Enterprise Account and sign the online BAA agreement. Using the free version of Google Drive is not HIPAA compliant. In addition, some of the features associated with a Google enterprise account, such as YouTube, Picasa and Google+ must be disabled or users must agree to not share ePHI using these features. Google has published a nice guide to implementing Google for Work consistent with HIPAA. Google Drive is a less-expensive solution than Box.com, and it has a comparatively limited feature set. But for some covered entities, especially smaller clinics and enterprises, Google Drive is a viable and strong file-sharing option. (NOTE: Again, free, personal Google accounts are NOT HIPAA compliant).
Q: What do I do if an employee keeps a file-sharing service on their personal computer and uses that file-sharing service for business and personal reasons?
A: Organizations should have policies in place governing the appropriate use of personally-owned computers used for work purposes. Many covered entities like the cost savings associated with the use of personally owned devices. However, just because an asset is personally owned does not absolve a covered entity from ensuring that the use of that device is HIPAA compliant. Organizations need to understand and address the risks of practicing BYOD (Bring Your Own Device). Many organizations are reluctant to strongly restrict how employees can use their own devices, but organizations need to develop and implement policies that find the balance between appropriate management and security of information with employees’ need for freedom of use on personal computers. These policies need to directly address the appropriate use of file-sharing services.
Q: Are there viable alternatives to file-sharing services?
A: Yes. There are a number of technologies that could be appropriate and would have the benefit of staying “in-house” and eliminating the need for BAAs or even the internet. Covered entities could set up their own private cloud using a network storage device such as those from Synology or Western Digital.
Other solutions would be the use of shared network drives or Sharepoint. In both cases, appropriate access controls should be setup to prevent unauthorized access. Active Directory could be utilized to facilitate the management of policies and controls for these solutions.
Q: Any last thoughts?
A: Sure. I haven’t vetted all the vendors, but this list of HIPAA compliant vendors seems pretty complete and well researched. (Although I am deeply skeptical that the vendor BackBlaze should be on the list of compliant vendors. I see no indication of that on their website, and the price point makes it unlikely).