HIPAA and HITECH were created to ensure that patient data is secure and private. Understand how they impact your file transfers to the cloud.
It’s no secret that the majority of businesses are moving to the cloud due to its numerous benefits. A study by LogicMonitor (PDF) predicts that 83% of enterprise workloads will be in the cloud by 2020.
One of the primary tasks of a cloud migration is transferring files from local to cloud storage. Our products, SFTP Gateway for AWS and SFTP Gateway for Azure, helps large enterprises such as Salesforce, Sprint, Infor, and many more transfer their files to Amazon S3 and Azure Blob Storage, respectively.
Due to regulations, migrating to the cloud can be more of a headache for some businesses than others.
Companies in the healthcare space need to be especially careful. Files to be migrated to cloud storage often include private patient records and sensitive health data, and healthcare entities need to ensure their privacy.
Thus, we get many questions from healthcare companies interested in SFTP Gateway about whether it’s HIPAA compliant.
So we thought it would be helpful to dig into what HIPAA is, how it impacts healthcare organizations, and how file transfers to the cloud are affected.
Overview of HIPAA and HITECH
HIPAA, which stands for Health Insurance Portability and Accountability Act, is a law passed in 1996 that aims to secure the privacy of patients’ electronic protected health information (ePHI).
Congress understood that technology played an important role in improving the quality and efficiency of patient care. But they also knew that these technological advancements could deteriorate the privacy of sensitive health information. Thus, HIPAA was born.
Congress followed up with HITECH, the Health Information Technology for Economic and Clinical Health Act, in 2009.
HITECH promotes the adoption and use of health information technology but also further addresses privacy and security concerns of the transmission of electronic health information. HITECH lays out the four categories of security violations (PDF) – Did Not Know; Reasonable Cause; Willful Neglect – Corrected; and Willful Neglect – Not Corrected – and assigns corresponding penalties for each.
What kinds of companies are impacted by these regulations?
HIPAA applies to what the U.S. Department of Health and Human Services (HHS) calls “covered entities” and “business associates.”
A covered entity includes the following:
- Healthcare providers – This category includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies who transmit any information in electronic form that is covered by HHS standards.
- Health plans – This encompasses health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for health care, like Medicare and Medicaid.
- Healthcare clearinghouses – These are organizations that process and standardize health information to facilitate transactions between entities. Billing services, community health information systems, and electronic claims systems fall under this bucket.
If you’re defined as a covered entity, you must comply with HIPAA requirements to ensure the privacy and security of health information and provide individuals with certain rights to protect their health information.
A business associate is an individual or organization that a covered entity engages with to help execute healthcare-related activities.
For example, let’s say you run an HMO. You might hire an software development firm to build customer relationship management software for you, and the firm needs to access patient health information to do so. Lawyers, consultants, medical transcriptionists, and any other individual or company who interfaces with protected information while helping you run your business is considered a business associate.
In order for this relationship to comply with HIPAA, you must have a written business associate agreement (BAA) that outlines what the business associate has been hired to do, the permitted uses of protected health data, and how the business associate will protect the privacy and security of this information.
If there has been a breach of contract by the business associate, you have to take action to fix the breach or terminate the agreement. If termination is not possible, the you must report the issue to HHS’ Office for Civil Rights.
HIPAA’s technical safeguards and how they apply to file transfer
HIPAA’s technical safeguards (PDF) are the “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Essentially, these are the standards that govern how you need to behave to protect the privacy of ePHI.
These technical safeguards come with “implementation specifications”, which provide instructions on how to carry out these standards. Implementation specifications are classified as:
- Required – you must create policies and procedures that meet this specification.
- Addressable – you can determine whether this specification is necessary, and implement it as you see fit. If you don’t implement it, you will have to document your reasons why.
The good thing is that you have some leeway to balance the level of addressable security and the cost of such an implementation based on your size, complexity, and capabilities.
On the other hand, the measure of your security efforts are subjective. So if a breach occurs, your security policies and procedures may be judged as insufficient in the eyes of regulators, and you’ll be punished accordingly.
The technical safeguards that apply to file transfers to the cloud include the following.
In order to comply with HIPAA’s access controls standards, you must implement policies and procedures that allow access only to those people or software programs that have been granted sufficient access rights.
- Assigning unique user IDs (required) – People who use the file transfer service must be assigned a unique identifier, such as a username or SSH key, to help track each user’s activity.
- Creating procedures for access to ePHI in emergencies (required) – In the event of an emergency, such as loss of electricity during a natural disaster, you must be able to access the ePHI in your system.
- Automatic logoff of users after a predetermined amount of time (addressable) – Sometimes users forget to log off. Silly users. Automatic logoff after a certain amount of time will help secure ePHI from unauthorized users.
- Encryption and decryption of ePHI (addressable) – This refers to encrypting the data stored on your file transfer servers, which would render the data useless if an unauthorized user were to gain access.
Audit Controls (required)
You must implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Essentially, you need to implement a logging system that provides an audit trail any time someone uses the file transfer system.
The Integrity standard requires you to “implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
Data integrity is paramount, especially when it comes to patients’ health data. So your file transfer system needs to have integrity controls to ensure that the data that is sent is the same as the data that is received.
The Integrity standard includes one addressable specification – “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
We’re not sure why this is addressable and not required, but we’re not lawyers.
Integrity of ePHI can be compromised by technical and non-technical means, so human error risks must be taken into account as well.
Person or Entity Authentication (required)
Procedures that verify that a person or entity seeking access to ePHI is the one claimed must be implemented.
This entails requiring that users provide a password or PIN, tokens or keys, or biometric information to access your file transfer system and its associated ePHI.
Technical security measures must be implemented to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
There are two addressable parts to this standard:
- Integrity controls – These ensure that electronically transmitted ePHI is not improperly modified while being transmitted.
- Encryption – Whenever necessary or appropriate, you should encrypt your ePHI to ensure its security.
HIPAA compliance of SFTP Gateway for AWS and Azure
Are our SFTP Gateway products HIPAA compliant? Let’s run through each technical safeguard to find out.
- Assigning unique user IDs (required) – Each SFTP Gateway user is assigned an SSH key (preferred) or username and password to log in, so the product meets this requirement. Win!
- Creating procedures for access to ePHI in emergencies (required) – All files transferred by SFTP Gateway are stored on either Amazon S3 or Azure Blob Storage. So in the case of an emergency, users can simply log on to their AWS or Azure instances to access the files. Win!
- Automatic logoff of users after a predetermined amount of time (addressable) – While SFTP Gateway does not have automatic logoff enabled by default, the product uses OpenSSH, which allows configuration of automatic logoff. Win!
- Encryption and decryption of ePHI (addressable) – SFTP Gateway for AWS allows for server-side encryption of your files when at rest in S3 via SSE-S3, KMS, or SSE-C. For SFTP Gateway for Azure, Azure encrypts the OS disk by default when you provision a VM. And all files that travel to and from the SFTP server are encrypted via OpenSSH. Win!
SFTP Gateway creates log files that track what files are uploaded to S3 and Blob Storage, and what files are synced with private and shared download folders. Win!
SFTP Gateway’s MD5 checksum feature will only transfer files to S3 and Azure that match a pre-loaded MD5 sum. This feature ensures that the file delivered is the file received. Win!
Person or Entity Authentication
As mentioned earlier, each SFTP Gateway user is assigned an SSH key or username and password for authentication. Win!
Again, SFTP Gateway’s MD5 checksum feature ensures integrity of all files transferred.
And like we mentioned prior, with respect to encryption, SFTP Gateway for AWS allows for server-side encryption when files are at rest, Azure encrypts the OS by default when you launch a VM, and files being transferred to and from the SFTP server are encrypted via OpenSSH.
Both SFTP Gateway for AWS and Azure meet all of HIPAA’s required technical standards, and have the ability to be configured to meet addressable standards as well.
If you’re interested in checking out SFTP Gateway for AWS, click here to head over to our AWS Marketplace product page.
For SFTP Gateway for Azure, click here.
We understand that your HIPAA requirements may be unique, so we’re happy to help you figure out how to configure SFTP Gateway to meet them.
Healthcare companies’ security practices are under much scrutiny due to the sensitive nature of patient data. HIPAA and HITECH were created to ensure that patient data is secure and private, and these regulations make it a bit more difficult to migrate to the cloud.
With file transfer being such a fundamental part of cloud migrations, it’s imperative for healthcare firms to be aware of all of the pertinent regulations and make sure that their file transfer solutions are HIPAA compliant.
We hope this article sheds some light on how HIPAA impacts your file transfer software.
Thanks for reading!
Like this post? It likes you too. 🙂 Please share it using the share buttons to the left. Then join our mailing list below, follow us on Twitter @thorntech, and join our Facebook page for future updates.
The information contained in this article is for general information purposes only. Thorn Technologies assumes no responsibility for errors or omissions in the contents of this article. You should seek appropriate legal counsel for your particular situation.
In no event shall Thorn Technologies be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of this article. Thorn Technologies reserves the right to make additions, deletions, or modification to the content at any time without prior notice.