The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the minimum standards that health care organizations must implement to protect the security, privacy, and confidentiality of patient data that is transferred over the Internet.
You can read the technical requirements in more detail in section §164.312 of the Act, but at a high level HIPAA compliant file transfers require that all patient data that is transmitted over the Internet be encrypted using industry standard 128-bit encryption algorithms. By default, Cerberus FTP Server is configured to meet these encryption requirements and provides several other features to operate your own HIPAA-compliant file transferring system.
However, a downloadable software product that you install and manage yourself like Cerberus can’t claim HIPAA compliance for sharing files on its own. Cerberus has all of the security and access control you need to make sure it’s part of a HIPAA compliant file share installation, but it is up to the system administrator to configure Cerberus to ensure compliance.
What File Transfer Security Does HIPAA Require?
HIPAA-compliant file transfer requires a healthcare data administrator to follow the E.U. General Data Protection Act and the U.S. HIPAA Security Rule by two main provisions:
- Title I – Health Care Access, Portability, and Renewability
- Title II – Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title II holds the main requirements under the Administrative Simplification Provisions located in subtitle F, sections 261 through 264 and covers the adoption of standards that pertain to file transfers. These provisions contain the following rules to note:
- The Privacy Rule
- The Electronic Transactions and Code Sets Rule
- The National identifier requirements for employers, providers, and health plans
- The Security Rule
The main outline of security policies are contained within the security rule:
- File Transfer Access Control
- File Transfer Audit Control
- File Integrity Checking
- Person or Entity Authentication
- File Transfer Transmission Security
How To Implement File Transfer Access Controls:
Ensure your file transfer software assigns unique user identifiers such as a username or ID number to track each users activity should suspicious actions occur.
Ensure your file transfer server has an emergency access procedure that will allow you to get the ePHI in your system in case the service goes down.
Your file transfer server needs an automatic logoff feature that will terminate a users session after a reasonable period of inactivity. Users can forget to log off or incorrectly log off and leave data vulnerable to unauthorized users.
The ePHI data needs encryption and decryption. By having that data encrypted, should a third party illegally obtain access to the data with malicious intent, they won’t be able to read or identify the data.
How To Implement File Transfer Audit Controls:
Keeping logs of user and system activity during each file transfer is imperative. Having a digital trail can help investigations in tracing nefarious events that occurred in your system.
How To Configure File Integrity Checking:
You’ll need a mechanism to authenticate ePHI, having one will prevent improper alteration or deletion of data whether by human error or technical error. This mechanism will alert you of any unauthorized changes.
How To Setup Person or Entity Authentication:
Your file transfer software needs an authentication access wall that requires proof of identity by either a password, PIN, smart card, token, key or biometrics.
How To Setup File Transfer Transmission Security:
You’ll need integrity controls and encryption as stated above.
Consult a HIPAA-compliant secure file transfer expert/auditor to be sure your particular setup and environment complies with all HIPAA FTP compliance rules.