For any healthcare company, not being HIPAA-compliant may lead to embarrassing public incidents as well as hefty fines. However, even if a company doesn’t operate in the healthcare space directly but only acts as a SaaS vendor, chances are they must be HIPAA-compliant too, in order not to exclude a whole segment of potential customers.
So, what is HIPAA compliance? How can you ensure HIPAA compliance for your business? And how can you implement a HIPAA-compliant workflow? You’re about to find out.
Short for the Health Insurance Portability and Accountability Act, HIPAA is a data protection and information security act. Its purpose is to protect patients’ sensitive medical information by setting standards for securely storing, transmitting, and handling it. It’s also about patients knowing exactly how their data is used.
Generally speaking, all personal health information. It includes actual patients’ health information, such as illnesses, conditions, and treatment plans, as well as related billing information. Such data is referred to as Protected Health Information (PHI). In digital formats, for example PDF files or electronic forms, it’s referred to as ePHI.
HIPAA compliance is enforceable by law, so organizations are accountable if their non-compliance puts the public’s sensitive medical information at risk. It’s also mandatory for any digital service that may handle sensitive information, whether as a first or third party.
For example, let’s say a hospital runs an app where patients can register accounts and upload or download their test results. If the hospital’s file sharing service isn’t HIPAA-compliant, the hospital itself is also in violation.
In the best-case scenario, the hospital will have to go through a review and then, within 30 days, fix the way they handle sensitive info. However, failure to comply with HIPAA can also result in civil or criminal penalties. The fines for civil violations range from $100 to $50,000 per violation and can reach up to $1,500,000 annually. As for criminal offenses (like when someone sells sensitive data), it may result in 10 years of imprisonment in addition to fines.
Luckily, the HHS (U.S. Department of Health and Human Services) has laid out specifications that entities can follow to ensure they remain HIPAA-compliant. There are three broad categories:
- Technical safeguards: In terms of using a cloud-based file system, this involves the actual steps taken to ensure that ePHI is secure and private. (You’ll find a complete technical checklist below.)
- Physical safeguards: Even the most secure cloud storage won’t help if files can be easily accessed on a computer. Physical safeguards involve protecting buildings, computers, smartphones, and other forms of physical access. If you’re a SaaS provider, you likely use third-party services such as Google, AWS, or Uploadcare to host the data, so you can check this checkbox by signing a HIPAA Business Associate Agreement (BAA).
- Administrative safeguards: This involves your organization’s policies and procedures regarding how PHI is handled, for example, your efforts concerning education and privacy training or shredding documents before discarding them.
As a SaaS file-sharing platform, Uploadcare helps individuals and businesses achieve HIPAA compliance by providing all the required technical safeguards in our services. As such, we’ll focus mainly on the technical safeguards from here on out, although all three categories play a critical role.
The technical safeguards are a part of the Security Rule and consist of four elements:
- Access controls
- Audit controls
- Integrity controls
- Transmission security
Below, you’ll find our descriptions of these elements; however, we highly encourage you also to explore the full Technical Safeguard documentation issued by the HHS.
You need to be able to authorize users and set role-based access to certain files and features. This ensures that only those who should be able to access, view, edit, upload, download, or otherwise interact with PHI can do it. The healthcare provider itself, and the individual employees, are just as responsible in this regard as the file-sharing platform they are using.
As a HIPAA-compliant service provider, you need to ensure the following mechanics for ePHI handling:
- Unique User IDs: Each user should be identified using a unique ID so that you can set individual access control.
- Emergency access procedures: There need to be instructions and practices in place on who accesses information during emergencies and how, for example during power or network interruptions.
- Automated log-off: This safeguard prevents unauthorized access due to human carelessness. If an account is idle for a specific time, it will automatically be logged off the system and require re-authentication.
- Encryption and decryption: Unauthorized users shouldn’t be able to access and view PHI. Only an authorized party with a secret key can convert the code into comprehensible data when information is encrypted.
In Uploadcare, for example, this is covered by authentication and authorization mechanics. Each customer must be identified and authorized before they can access non-public user data. You can also specify who can upload and download files, and for how long, by providing special tokens.
Your systems must track events and user actions so that, in case of a breach or incident, a complete audit trail is available to assess the damage and come up with countermeasures. The main challenge here is that the HHS doesn’t provide detailed implementation specifications, so it’s up to you to determine appropriate audit controls for your infrastructure.
If we proceed with Uploadcare as an example, the audit controls are covered by logging all critical information system activity, which is available upon request.
The HIPAA standard requires that “data or information have not been altered or destroyed in an unauthorized manner.” Simply put, you need to make sure that ePHI is intact and safe from unintentional or intentional (unauthorized) changes. There are two sources of potential risk:
- Non-technical (e.g., staff members who accidentally delete something)
- Technical (e.g., software errors and failures that cause data corruption)
Just like with audit controls, the measures here include authorization. You need to identify all users who can access ePHI, and have an accurate audit trail that connects all actions performed with a user ID. Any unauthorized access or changes must be detected and prevented to maintain security.
Also, there must be a solution that corroborates the authenticity of ePHI. Again, the standard doesn’t provide which specific “electronic mechanisms” you should implement. Our advice here is to ensure that your monitoring activities allow you to identify any attempts to modify files and immediately prevent them. As for Uploadcare itself, it doesn’t allow users to modify any uploaded files, only create additional versions of them. If you need to, for example, resize an image, you’ll get a modified version, but the original file is intact and always accessible (unless you explicitly delete it).
Last but not least, the Transmission Security clause refers to protecting PHI when transmitted over communications networks: internet, email, call recordings, voicemail, messengers, etc. This standard has two implementation specifications we’ve already mentioned:
- Integrity controls (the input data should be the same as the output)
- Encryption (the data should be indecipherable and unusable for any unauthorized party)
For example, Uploadcare servers (as well as all incoming and outgoing communications) are encrypted with the latest protocol versions (e.g., TLS 1.2+ for transfer). User interfaces are accessible only with HTTPS. It protects any data stored and sent between a server and a client, preventing criminals from reading and modifying any information transferred.
Arranging a HIPAA-compliant file workflow from the start is the best way to avoid potentially steep penalties. However, implementing the whole workflow from scratch can cost tens of thousands of dollars a year. In this situation, your best bet might be going with a HIPAA-compliant SaaS as a ready-made solution. Uploadcare is one of these solutions.
Uploadcare provides a HIPAA-compliant high-performance pipeline for uploading, processing, storing, and transmitting PHI with all the HIPAA safeguards built in. It ensures that you have a secure platform for managing files, complete with various user access controls and encryption at all levels. This compliance is backed up by a Business Associate Agreement that can be provided upon request.
Supervision Assist is a web application for managing mental health practicums and internship programs. Its users upload various digital files, including video recordings of counseling sessions.
The team faced two challenges:
- They needed to create a reliable HIPAA-compliant application to handle sensitive data.
- They had limited development resources to do so.
We can build internal tools, but we’ve been finding that the maintenance burden is just not worth it. We end up having to spend more time working on stuff that is not our application. So, we decided to implement a third-party tool, so that they can deal with that maintenance, and we can focus on our code.
— Maximillian Schwanekamp, CTO
Uploadcare’s HIPAA-compliant infrastructure took on the sensitive data management so Supervision Assist could focus on their business. By adopting a ready-made solution, the company saves at least 50 hours of dev work annually. In sheer person-hours alone, it was enough to justify the investment in a proprietary third-party tool.
Uploadcare’s reliable file hosting, backup, and Content Delivery Network enables Supervision Assist’s users to seamlessly upload any type of media, including documents, images, audio, and video. The latter can be as big as 5 TB.
From what we at Uploadcare have seen, working with trusted HIPAA-compliant cloud services is the most time-saving and cost-effective option, and frees you up to focus on your core business. Still, it’s up to you to decide which path to take. We hope this article sheds some light on the technical safeguards necessary to arrange a secure flow of sensitive information.