Many agencies are embracing internet cloud-based “file-sharing” programs – like Dropbox, Google Drive and ShareFile - to store and share patient information. These programs allow you to share sizable files (unlike most email), permit you to access documents from just about anywhere with an internet connection, and sometimes offer more security than regular email or USB drives. But, not all file-sharing services are created equal.
If you’re using a cloud-based service to send or store patient information, you should know the risks and your HIPAA compliance obligations. You should also be aware that your workforce members may already be using applications that you don’t know about to share patient and other sensitive company information.
File-sharing gets providers in hot water
The Office for Civil Rights (OCR) recently announced that St. Elizabeth’s Medical Center in Brighton, Mass. will pay $218,400 to settle “potential” HIPAA violations stemming in part from the use of a file-sharing program.
OCR, which is the federal agency in charge of HIPAA enforcement, received a complaint from St. Elizabeth’s own employees in November 2012. The complaint raised concerns about employees’ use of a web-based document-sharing application to store documents containing protected health information (PHI). OCR ultimately determined that St. Elizabeth failed to adequately analyze the security risks of using the application.
This wasn’t the first HIPAA settlement involving the use of a web-based service. In April of 2012, a physician medical practice agreed to a $100,000 settlement for failing to have appropriate safeguards in place concerning their internet-based appointment calendar and email service. The physician practice was also cited by OCR for not having business associate agreements in place with its cloud-based service providers.
At a minimum, these cases tell us that OCR expects organizations to do two things:
- Analyze the risks of using internet-based applications for sharing PHI.
- Have a business associate agreement in place with a cloud-based service.
Risks of file-sharing applications
To understand the risks, you need to understand how file-sharing services usually operate. First, the client (e.g., an EMS provider subscribing to the file-sharing service) uploads files over the internet to a cloud-based file server. Then, a notification is sent to a recipient (e.g., to a consultant of the EMS provider) retrieves the files saved on that server. Finally, those files are downloaded to the recipient’s (the consultant’s) computer or device over the internet. There’s typically more involved in the process (like password authentication, etc.), but this is the general overview.
The top risks when using a file-sharing service are:
- PHI can be intercepted while it is being uploaded to or downloaded from the internet-based server.
- PHI is susceptible to breach if the server is hacked.
- PHI could be subject to improper downloading or manipulation by anyone with access to the file-sharing account.
Healthcare records with medical ID numbers are worth anywhere from 10 to 20 times the value of a credit card number on the black market.[1] Anytime unsecured PHI is improperly accessed, there is a risk that the data could be used in a manner that harms the patient or others.
What are my obligations if I use file-sharing?
The HIPAA Security Rule requires organizations to consider different types of safeguards with respect to electronic PHI. Here are some of things you should do if you use a file-sharing program:
1. Conduct a simple risk analysis
You should document the risks of using these applications and how you will address those risks. This is as simple as listing the risks (like the ones we mention in this article) and then listing measures to mitigate those risks. Document how your file-sharing product addresses the risks (e.g., end-to-end encryption) and whether you will implement other measures (like a policy) to safeguard PHI during file-sharing. Save the analysis and this will be “exhibit A” if OCR ever audits your file-sharing practices.
2. Review access to PHI
You should have the ability to track when PHI was uploaded, accessed, downloaded and manipulated while passing through and being stored in the file-sharing product. Many products can track the history of access and usage of a file. From time-to-time, someone, such as your department’s privacy officer, should also look at who accessed the information and take appropriate action (breach reporting, discipline, etc.) if your agency finds that PHI was improperly used or disclosed.
3. Limit access to the program
We strongly recommend that you require username and password authentication to use the application and gain access to PHI. Many file-sharing services permit you to authorize only specific individuals to use the application. Investigate the limitations and access controls that are in place with regard to sharing uploaded documents with others. For example, can personal devices, not under the control of your agency, access the documents?
4. Make sure the application offers end-to-end encryption
This is critical! Your file-sharing application must encrypt PHI while it is being: (1) uploaded to, (2) stored in, and (3) downloaded from, the application. Some file-sharing services may not use end-to-end encryption, which means documents may be encrypted only during transmission or only when stored on the file-sharing servers but not when being downloaded to a device.
5. Check physical security
Where are the servers physically located and what safeguards are in place to limit access? Ask the file-sharing provider to give you a list of physical safeguards that it has in place. Many cloud services will provide you with a copy of their security policies and procedures.
6. Have a business associate agreement
If the file-sharing service stores your PHI (almost all do), you must have a Business Associate Agreement in place with the company. The recent “HIPAA Omnibus Rule” made it clear that any organization that “maintains” PHI on behalf of a covered entity is a business associate, even if they do not access the data.
7. Have a strict policy about file-sharing
You should have a strict policy regarding when a file-sharing application can be used, what product(s) may be used, and the terms and conditions for using the service(s). The policy should state that only authorized workforce members may use a file-sharing program for legitimate HIPAA-permitted reasons. The policy should also strictly prohibit the use of any other file-sharing applications for storing or sharing PHI.
8. Educate your workforce about file-sharing
Your employees should know how, when and why they can use a file-sharing application. They should also know what type of security an application offers. If your employees know that a program is secure and that you’ve considered the HIPAA risks, they’re much less likely to report you to OCR, like the employees of St. Elizabeth’s did.
Without identifying the risks and considering appropriate safeguards, your agency uses document file-sharing at its own peril. As OCR pointed out in its bulletin announcing the settlement with St. Elizabeth’s, “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.”
As a final thought, remind employees to share compliance concerns with the organization’s privacy officer first rather than reporting directly to OCR.
References
1. Your medical record is worth more to hackers than your credit card