HIPAA Compliance and File Transfer: What You Need to Know

Image

HIPAA Compliance and File Transfer: What You Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) secures the Protected Health Information (PHI) of healthcare system users within the United States. Since the Omnibus Rule went into effect in 2013, millions of healthcare “business associates” have been included under the compliance umbrella, facing the same requirements, fines, and penalties as providers.

The more organizations know about HIPAA and its regulatory reach, the better prepared they will be to seek out HIPAA compliant solutions. At Fortra, our managed file transfer (MFT) solution has been securing healthcare providers as they comply with rigorous HIPAA data protection standards for years, and battle-tested by national and global healthcare organizations alike.

Understanding HIPAA File Transfer Requirements for Secure File Transfer

The requirements around HIPAA for file transfers center around three general safeguards: administrative, physical, and technical. They include:

• Preventing unauthorized access to PHI (Protected Health Information) from users or software that do not have permissions.
• Ensuring users, access, and activity can be tracked on information systems that use and record PHI.
• Establishing electronic security protocols to insulate data in motion from unauthorized access as its transferred across electronic networks.
• Disconnecting electronic sessions based on predetermined rules.
• Applying procedures to encrypt and decrypt data such as PHI.
• Demonstrating, via electronic records, that data has not been altered, compromised, or deleted without authorization.

What is HIPAA Compliance?

HIPAA compliance is adherence to the set of rules established by the 1996 U.S. HIPAA Privacy Rule, and more specifically, the Security Rule.

While the Privacy Rule establishes the national standards which protect PHI, the Security Rule operationalizes those standards by laying out the technical and nontechnical safeguards required to ensure the safe handling of an individual’s electronic PHI (ePHI).

The law itself is enforced by a subset of the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), which can impose civil monetary penalties for non-compliance.

To this end, GoAnywhere MFT gives healthcare organizations a practical way to comply with HIPAA obligations as it:

• Supports all secure protocols: FTPS, SFTP, SCP, HTTP(S), PeSIT, and AS2, AS3, and AS4
• Includes popular encryption methods: Open PGP and Zip with AES encryption
• Runs on the following platforms: Windows, Linux, IBM i, Mac OS, AIX and UNIX, and VMware
• Translates data to and from formats like Excel, XML, and JSON

It also enables providers to safely send sensitive ePHI and EHR (electronic health records) to pharmacies, clinics, hospitals and insurance companies while complying with trading partner requirements.

To Who Does HIPAA Apply?

Initially, HIPAA applied to the roughly 800,000 organizations in the U.S. delivering healthcare services as their primary function. After 2013, it was broadened to include “business associates” and their subcontractors, now directly liable for their own adherence to the legislation. 

These “business associates” includes the following and more:

• A third-party administrator that assists a health plan with claims processing
• A CPA firm whose accounting services to a health care provider involve access to protected health information
• An attorney whose legal services to a health plan involve access to protected health information
• A consultant that performs utilization reviews for a hospital

What Does HIPAA Compliance Violation Look Like?

Violations that one of the covered entities above can stumble into include, but are not limited to:

• Failure to provide compliance reports
• Failure to comply fully with the Security Rule
• Failure to provide a breach notification to a covered entity or another business associate
• Failure to provide an accounting of disclosures
• Failure to take reasonable steps to contain a breach

Ultimately, the HIPAA, the Omnibus Rule, and even HITRUST (Health Information Trust Alliance) all fall under the same umbrella. That is, U.S. healthcare regulatory compliance that needs to be adhered to in order to secure patient information, avoid legal penalties, and ultimately even boost business.

Managed file transfer facilitates HIPAA compliance (and mitigates HIPAA fines) by enabling healthcare professionals to perform the following secure functions on a daily basis:

• Automate and manage file transfers via a web-friendly dashboard
• Coordinate patient updates with outside physicians
• Protect payroll file transfers sent between healthcare organizations and banks
• Streamline the transmission of patient histories and insurance information
• Secure medication records from pharmacies
• Authenticate users so only intended parties can access data
• Secure patient data transfers to HHS or the CDC

Healthcare Organizations Count on GoAnywhere for HIPAA Compliance

At Nemour’s Children’s Health System,  GoAnywhere MFT was able to streamline data transfers, reduce the load on critical servers, and take task completion times down from a few days to a few hours. AnMed Health used GoAnywhere MFT to automate their insurance claims and processing, maintain their high volume of over 5,000 data transfers per month, and stay compliant with stringent HIPAA security requirements.

These additional case studies detail how MFT supports compliance in the healthcare industry. Read on to see how healthcare professionals put managed file transfer to use in places like the University of Tennessee Medical Center, the Cancer Registry of Greater California (CRGR), and Bristol Hospital.

Business Benefits of HIPAA

Besides implementing the cybersecurity safeguards that keep business data safe, HIPAA compliance has a few other benefits for those under its jurisdiction. Some are obvious; others are more nuanced:

• Building trust by protecting patients’ PHI | IDC discovered that 80% of customers from developed nations would refuse to give their business to an organization after it had experienced a data breach. Securing your patients’ PHI, or the PHI which your healthcare partners have entrusted to you, helps ensure you keep the client, contract, and clout to keep doing business in the future. A managed file transfer solution can make this possible. With it, you can migrate large batch files securely, protect patient records at rest, and keep them organized and safe while in transit. You can also gain additional protection from a zero-trust file transfer solution that combines the strengths of MFT, rights management and a Secure ICAP Gateway, to ensure patient data is used only on your terms.
• Avoiding fines and penalties | Being unaware of the rules is no excuse; the potential annual liability for breaching HIPAA compliance policy rests at $1.5 million per year, for healthcare providers and contractors alike, and fines start off at a $25,000 minimum.
• Expanding your customer base | Being HIPAA compliant can open you up to a range of business opportunities. Largely due to HITECH implementations, 80% of physicians and one in six hospitals are now using electronic health records. Any cloud service they use must be HIPAA-compliant. And would-be business associates can put their hat in the healthcare ring when they can show similar HIPAA adherence, opening themselves up to partnerships non-compliant entities could not have.

How Complying with HIPAA Protects Your Files

Under the HIPAA Security Rule, encryption is an “addressable” requirement. While not explicitly stated, the law requires the use of security standards recommended by the National Institute of Standards and Technology (NIST); encryption is usually inferred, and this applies to both patient PHI at rest and in transit.

One reason, if not the most viable, is that in the event of a data breach, an OCR investigation will be undertaken to determine if all possible measures, including encryption, secure managed file transfer (MFT), and others, were employed to prevent the incident. If not, companies will be at fault for not employing them.

HIPAA Considerations When Looking for a File Transfer Solution

Being compliant with HIPAA regulations is a must for any organization in the health care sector, and nearly any entity attached to it or hoping to be. That’s why organizations need to consider baked-in HIPAA compliance when building their security stack and shopping for new technologies.

Merging MFT and HIPAA

Companies need all-in-one solutions that can help make the road ahead for compliance easier, including implementing solutions that don’t require additional integrations and compliance measures. Fortra’s GoAnywhere Managed File Transfer provides HIPAA and HITECH compliant file transfers, securely encrypting patient e-PHI and safely transmitting that data as it travels from patient to healthcare organization to a third-party and back again.

It covers a host of security requirements, including encryption, so you stay safe in the event of a HIPAA audit or a breach. To help comply with HIPAA & HITECH file transfer requirements, GoAnywhere MFT:

• Runs on key platforms like Windows, IBM i, Mac OS, and Linux
• Supports secure protocols like FTPS, SFTP, and HTTP(S)
• Utilizes popular encryption methods like Open PGP and Zip with AES.

On the users’ side, it automates file transfers, simplifies patient and physician communication, and streamlines it all from a user-friendly dashboard. Plus, it requires no programming experience to use, so teams can get started right away.