HIPAA compliant file sharing requires maintaining the security, integrity and confidentiality of PHI both at rest and in transit. This does not only depend on selecting the right technology. Covered entities and business associates need to do something to make sure nothing goes wrong with the PHI.
According to the latest IBM-X-Force Threat Intelligence Report, the causes of data breaches are as follows: 46% due to inadvertent actors, 25% due to malicious insiders and 29% due to outsiders. With this in mind, if covered entities fail to train employees on security awareness and correct system configuration or to monitor PHI access, the company is only 29% ready towards achieving HIPAA compliance.
To fully understand the risks associated with the sharing of PHI, covered entities need to conduct a risk assessment from the time PHI is created, used, stored and shared. Part of the risk analysis is identifying the vulnerabilities and weaknesses of the system that could end up in unauthorized PHI disclosure. When partnering with business associates, ask what happens when data is shared with business associates. Though business associates should do their own risk analyses, it is the covered entity’s responsibility to ensure all file sharing procedures are HIPAA compliant.
File sharing does not only involve physical formats but also digital formats that can be shared within a private network or through the cloud. This entire system of sharing should be evaluated to ensure HIPAA compliance. There must be file access controls and access logs to be reviewed on a regular bases to prevent employee snooping — the #1 cause of breaches.
Some employees may consider snooping or the viewing of medical records of friends, family or popular celebrities without proper authorization as a simple misdemeanor. But snooping is a serious case of HIPAA violation. Employees should be informed about the seriousness of unauthorized PHI disclosures so that they will be more careful when doing their jobs.
When using new technology, employees should be given proper HIPAA training on how it works to make sure that all data access and system operations are HIPAA compliant. Having good communication between the management and the employees is a key to keeping malicious insiders under control. Strict enforcement of policies, procedures and sanctions will also make certain ensure a HIPAA compliant file sharing.