Navigating HIPAA-Compliant File Sharing: A Complete Primer

As a health organization, it’s your responsibility to adhere to the Health Insurance Portability and Accountability Act (HIPAA). You also need to have HIPAA-compliant file sharing standards to ensure that patients’ Protected Health Information (PHI) remains secure.

Your healthcare organization can’t operate without sharing files, but common data sharing solutions such as Google Drive are not HIPAA-compliant on their own – and there are severe penalties for HIPAA non-compliance that you should know about.

HIPAA was enacted in 1996. Before then, there was no blanket set of security standards for protecting PHI in the health industry.

Today’s clinicians use an array of digital applications, electronic health records (EHR), and computerized physician order entry (CPOE) systems to manage patient care. Each of those systems potentially risks the security of PHI, which is why HIPAA requires federally enforceable standards to protect sensitive patient information from being shared without the express consent and knowledge of the patient. In the context of data transmission, those federal standards take the form of the Security Rule.

It’s critical that healthcare organizations and businesses use HIPAA-compliant file sharing services to create, receive, transmit, and maintain PHI records. Using a non-compliant service can lead to HIPAA violations, which are costly and damaging.

What is the HIPAA Security Rule?

HIPAA includes the Security Rule, which applies to electronic-protected health information, or e-PHI. All organizations in healthcare that transmit e-PHI must:

• Ensure that all e-PHI is confidential
• Protect against security threats that could disclose e-PHI
• Safeguard against illegal use of e-PHI
• Certify that their use of e-PHI is HIPAA-compliant

Using a HIPAA-compliant file sharing service ensures that the Security Rule is met, while services that aren’t HIPAA-specific leave e-PHI vulnerable to unsecure transmission.

What data is covered by HIPAA?

HIPAA protects all individually identifiable health information, or health information that can be linked to a specific person. That can include any of the following:

• Data about mental and physical health conditions
• Information about healthcare received
• Healthcare payment information
• Demographic data

Keeping this information secure is important for many reasons, including that several pieces of a patient’s file can lead to discrimination or be pieced together to perpetrate fraud. Your organization must be careful to comply with HIPAA rules for your own sake as well as that of your patients.

Organizations subject to HIPAA compliance and penalties for non-compliance

Not all companies or groups must comply with HIPAA-related security rules, so it’s important to know if yours needs to. The following organizations are subject to HIPAA compliance:

• Healthcare providers of any size and scope who perform electronic claims, benefit inquiries, referral requests, prior authorizations, and other digital transactions using PHI
• Health plans, such as health and dental insurers, prescription drug insurers, vision insurers, health maintenance organizations (HMOs), government-sponsored health plans (e.g. Medicare and Medicaid), long-term care insurers, church-sponsored health plans, employer-sponsored health plans, and multiemployer health plans
• Healthcare clearinghouses, including businesses that process PHI into a standardized format for health plans or healthcare providers
• Businesses that use or disclose PHI, such as those that perform claims processing, data analysis, medical billing, or utilization review for patients and providers.

The penalties for HIPAA non-compliance range widely depending on the incidence. Penalties are determined by an investigation into the nature of the non-compliance, the consequences of the incident, the organization’s compliance history, and the level of negligence that resulted in the incident.

There are four tiers of penalties that vary based on the level of culpability, each of which includes a minimum and maximum penalty. These penalties are issued by the Office for Civil Rights. They include:

• Tier 1 – Lack of Knowledge: A minimum penalty of $120 and maximum penalty of $30,113 per violation
• Tier 2 – Reasonable Cause: A minimum penalty of $1,205 and maximum penalty of $60,226 per violation
• Tier 3 – Willful Neglect: A minimum penalty of $12,045 and maximum penalty of $60,226 per violation
• Tier 4 – Willful Neglect, not corrected within 30 days: A minimum penalty of $60,226 and maximum penalty of $1,806,226 per violation

If criminal intent is found, there are additional penalties. Criminal violations can also result in jail time. For instance:

• Tier 1 criminal penalties include up to $50,000 in fines and up to one year in jail
• Tier 2 criminal penalties include up to $100,000 in fines and up to five years in jail
• Tier 3 criminal penalties include up to $250,000 in fines and up to ten years in jail

You may face criminal penalties if your violations are discovered to be willful, under false pretenses, or with the intent to sell or use personally identifiable health information for personal gain. In addition, the State Attorney General can fine violations for an additional $100 to $25,000 per incident, which does not count against the maximum penalty from the Office for Civil Rights.

How to be HIPAA-compliant while sharing data

You can ensure HIPAA compliance by choosing a secure data sharing platform that puts the Data Security requirements into use. That includes:

• Administrative Safeguards, which include regular risk assessments to stay ahead of security risks that could lead to unauthorized release of PHI
• Physical Safeguards, such as the measures taken to protect files from unauthorized access and potential harm or loss
• Technical Safeguards, including data security measures during any point that PHI is communicated over a network

It’s critical to your compliance efforts that you choose a data sharing solution built for HIPAA security requirements. Most file sharing services are not compliant, though, so be sure compliance is explicitly stated. As we’ve outlined in detail above, using a non-compliant service to share data can lead to severe penalties.

That’s where Cocoon is different. Our secure data sharing platform is built for healthcare and HIPAA-compliant file sharing, including:

• One-of-a-kind encryption with end-to-end protection, linked to policies and identification, at the individual file level for ultra-safe sharing and collaboration
• Audit logging to provide a complete record of all users who have accessed each piece of data, by date and time
• Kill-the-key function that protects PHI by instantly removing access from users who shouldn’t be accessing a specific file. Even if the file is being viewed on a user’s desktop, it will instantaneously become unavailable
• Safe access options that let you limit file access by date, IP address, location, user, and more
• User-friendly design with no training needed to get started – simply add users, assign roles, and designate security options for protected data

This unique combination of features lets Cocoon users conduct internal audits without the need to involve a third party – which automatically lessens the number of people seeing and accessing sensitive information.

Protect your patients and your business with Cocoon Data

Sharing files is a necessary part of operating as a modern healthcare organization, making it more important than ever to invest in a HIPAA-friendly data solution, like Cocoon Data.

Our unique security features and user-friendly design make it ultra-simple to share and access files securely. We ensure you can operate smoothly with the data you need to share and receive, without the risk of a costly HIPAA violation.

Don’t wait to invest in a better solution for safe and secure data sharing. – contact Cocoon today to learn more about our HIPAA-compliant file sharing platform.