Skip to main content
Security & Compliance

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. law that governs the privacy and security of protected health information (PHI). Many Files.com customers are subject to HIPAA, and the platform is compatible with HIPAA-regulated environments when configured appropriately.

What HIPAA Covers

HIPAA establishes a framework for protecting Protected Health Information (PHI), including medical records, billing information, and any other data that identifies a patient and relates to healthcare services.

HIPAA applies to two categories of organization:

  • Covered Entities, such as healthcare providers, health plans, and clearinghouses.
  • Business Associates, which are vendors that handle PHI on behalf of Covered Entities.

Organizations in either category must maintain the confidentiality, integrity, and availability of PHI in storage and in transit, and must implement technical and organizational safeguards.

Files.com as a Business Associate

When Files.com stores or transmits PHI on behalf of a Covered Entity, Files.com acts as a Business Associate under HIPAA.

Files.com offers a pre-written and pre-approved Business Associate Agreement (BAA) that we execute with any customer on an Enterprise plan. The BAA defines the roles and responsibilities of both Files.com and the customer for handling PHI in compliance with HIPAA.

HIPAA support, including BAA execution, is not available on the Starter or Power plans.

Security Configuration Requirements

The Files.com BAA requires customers to configure their site according to our Configuring Files.com for Maximum Security documentation, which covers:

  • Two-Factor Authentication (2FA)
  • Role-based access controls and least-privilege permissions
  • IP allowlisting
  • Session timeout and expiration settings
  • Encryption in transit and at rest
  • Logging and audit trail configuration
  • Remote Server Mounting for compliant storage backends (when needed)

These configuration steps are required to protect PHI in accordance with HIPAA's Security Rule.

Requesting a BAA

Customers on an Enterprise plan who want to sign a BAA with Files.com can contact their Account Executive or our customer support team. BAAs are not offered on the Starter or Power plans, and customers must follow our security configuration guidelines to activate HIPAA-compliant usage.

Shared Responsibility

HIPAA compliance using Files.com is a shared responsibility. Files.com provides the infrastructure, tools, and documentation. You are responsible for how the platform is configured and for ensuring your team handles PHI in accordance with HIPAA.

Work with your compliance, security, or legal team to confirm that your implementation of Files.com satisfies all relevant HIPAA obligations. For help configuring your site for HIPAA compliance, contact our support team.