The Health Insurance Portability and Accountability Act (HIPAA) is an expansive piece of legislation whose scope includes the portability and continuity of health insurance, and, notably, policies and procedures governing the privacy and security of an individual’s identifiable health information.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) encouraged the adoption of electronic health records and related technologies. Notably, the HITECH Act specifically addressed privacy and security concerns surrounding electronic transmission and storage of electronic health information.
The HIPAA Omnibus Final Rule implemented a sweeping set of modifications to HIPAA to meet the provisions of the HITECH Act.
You can read further about HIPAA, the HITECH Act, and the final Omnibus rule here.
Protected Health Information (PHI) is identifiable information transmitted or maintained by a covered entity or business associate in any form - including paper and electronic - which relates to an individual’s:
- Past, present, or future physical or mental health or condition
- Health care
- Past, present, or future payment of health care
The above laws and regulations include 4 notable rules:
The Privacy Rule sets national standards governing PHI, including giving patients increased control over their health information, setting baseline safeguards, and holding violators accountable with criminal and civil penalties.
The Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of ePHI.
The Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations, and procedures for hearings.
The Breach Notification Rule sets requirements for covered entities for notifying impacted individuals, and in some cases the media, in the event of a breach of PHI.
A covered entity under HIPAA includes:
- health plans
- clearinghouses, and
- Providers who submit HIPAA transactions (e.g. claims) electronically
A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
In the context of our services, Files.com would be a business associate of any customer who is a covered entity and enters into a BAA with Files.com
HIPAA, the HITECH Act, and the final Omnibus rule together impose strict requirements on Covered Entities regarding how they store and transmit electronic protected health information (ePHI). Files.com comes with a number of features and settings that can assist with these compliance efforts, including granular user permissions, audit logs, and data encryption.
There is no offical HIPAA certification for a CSP like Files.com. However, Files.com provides superb security capabilities and redundancy. Additionally, we regularly monitor for updated requirements and best practices.
Penalties for failing to comply with HIPAA and/or HITECH can be extremely costly. In 2018 alone, companies paid over $28 million in fines for violating HIPAA rules, including several multi-million dollar settlements.
One of the requirements under HIPAA and expanded under HITECH is that Covered Entities that want to
transfer or store PHI on a third party cloud service provider (CSP) must enter into a BAA with each such service.
The conduit exception allows entities such as the US Postal Service, ISPs, and other entities that solely transmit PHI to not have to enter into a BAA with every Covered Entity they service. Some of our competitors have incorrectly taken the position that a BAA is not necessary because they are exempt under the conduit exception, however, the U.S. Department of Health and Human Services has provided guidance on this specific issue
“the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.”
Additionally, storing ePHI in an encrypted format and not giving the CSP the encryption key does not exempt a CSP from its business associate status and obligations.
To underscore the importance of a BAA, as recently as 2018, a $500,000 settlement was paid by a Covered Entity for sharing PHI without a Business Associate Agreement (BAA) (LINK).
The good news is that Files.com has a BAA available for customers on Premier plan. To request a BAA, please contact us. Please note that as a matter of policy, we do not accept redlines or consider changes to any of our terms of service or other legal documents unless a customer is on an Enterprise plan. For Enterprise customers, we are happy to connect your legal team with our internal legal team to discuss changes, however, changes that substantially increase our risk will only be considered with a significant offsetting change.
Files.com is already trusted by numerous hospitals and health organizations to store, organize, and transfer their ePHI.
If you have any questions about storing or transferring ePHI on Files.com, or setting up your Files.com account, you can give us a call.
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information and content available on this site are for general informational purposes only. Readers of this website are responsible for making their own independent assessment and should contact their attorney to obtain advice with respect to any particular legal matter, including compliance with any applicable state or local laws or regulations.