Electronic Protected Health Information (ePHI) must flow from its source to many different recipients to efficiently support the mission of providing quality heath care. However, HIPAA’s data privacy and security standards limit the manner in which ePHI can be transmitted. With HIPAA now in full force - having expanded its reach officially to business associates after the Final Omnibus Rule - and Phase 2 audits currently in progress, now is the perfect time to review the controls and policies you have set in place to protect ePHI in transmission.
In many cases, transferring ePHI is embedded into the workflow with sender/receiver applications that directly connect via secure API. In this scenario the authorization model is sometimes built into the software, and sometimes manually managed and security and privacy are embedded. But what happens in the situation where ePHI does not have a pre-existing defined secure electronic delivery mechanism? With some simple controls on the sender and receiver sides, Managed File Transfer (MFT) offers a means to create a flexible, embedded, or adhoc, HIPAA-safe, data transfer mechanism.
The benefits of Managed File Transfer for ePHI are many, including:
- Hosted or on-premises capabilities
- Secure point-to-point transfer between Covered Entities (CEs) and Business Associates (BAs)
- Uses standard internet protocols that even small CEs and BAs can support with limited IT staff
- On demand, ad hoc, secure data exchange when unexpected data transfer needs arise
If you find your organization needs to use MFT for HIPAA, how do you know if the security of the system meets the requirements for transferring ePHI? Unlike the payment card industry, the HIPAA security guidelines are not proscriptive. They are derived from the HIPAA Security Rule, which was promulgated in its final form on March 26, 2013. Fortunately, as the Security Rule has been put into practice, additional clarifications and guidelines have been made available from various sources and Health and Human Services (HHS) shares them via their website.
With respect to file transfer in particular, HHS.gov points to guidelines developed by the Federal Trade Commission (FTC) under the FTC’s authority over consumer data privacy. The FTC guidelines for peer-to-peer transfer mechanisms, which are adaptable and relevant to managed file transfer of ePHI, include:
- Restrict the locations to which work files containing sensitive information can be saved or copied. For example, you can create designated, well-defended network servers to house these files, or use a file management program. These kinds of tools and techniques isolate sensitive information and may limit the extent to which peer-to-peer file sharing programs need to be banned.
- If possible, use application-level encryption to protect the information in your files. This type of encryption can help protect files that are shared inadvertently on peer-to-peer networks. If you use encryption, keep the passwords and encryption keys safe. Make sure they are not available in drives or folders designated for sharing.
- Use file naming conventions that are less likely to disclose the types of information a file contains. For example, it’s easy to spot terms like “ssn,” “tax,” or “medical” within a filename.
- Monitor peer-to-peer networks for sensitive information, either directly or by using a 3rd-party service provider. Because search terms can be viewed by others on peer-to-peer networks, be careful about the terms you use. Some search terms (such as those that include “ssn”) may increase the risk to sensitive information, while others (such as company or product names) likely will not.
Recall that the HIPAA Security Rule divides safeguards into administrative, physical, and technical controls. Each of the above recommendations should be mapped to the HIPAA safeguards. The following is a recommendation.
Administrative: § 164.308(a)(7)(ii)(E) Application Data Criticality Analysis
Include your MFT process in this part of your administrative controls analysis.
Physical: Device and Media Controls § 164.310(d)(1)
As an integral part of your ePHI data transmission process, care should be taken with any media components that may fail or need to be recycled. HIPAA has very strict data destruction guidelines pointing to NIST- SP 800-88. If you are not an expert in data destruction techniques, have your policy point to a certified data destruction provider.
Finally, the relevant technical controls are summarized in this table.
Access Control§ 164.312(a)(1)
Servers should be configured according to policy with correct authentication, authorization, and security.
§Transmission Security 164.312(e)(1)
Encryption & Decryption § 164.312(a)(2)(iv)
Implement encryption standards according to your written policy applying a well-vetted standard, consider NIST 800-52 or OWASP guidelines.
File Naming Convention
Integrity Controls§ 164.312(e)(2)(i)
Implement written standards to assure file naming conventions which will assist in meeting integrity controls.
Audit Controls § 164.312(b)
Implement continuous monitoring to ensure that no unencrypted data is transmitted. Use caution when storing audit log data to avoid accidental disclosure though gathering and transmission of audit logs.
If the above seems daunting, consider a packaged Managed File Transfer solution rather than building your own. As a solution, MFT is easily deployable and can meet your HIPAA security and compliance needs by following the above guidelines. A well-designed MFT solution will include built-in capabilities to address the HIPAA security rule, including:
- Providing a secure, contained environment for ePHI sharing that offers access controls for authentication, authorization, and built-in security of the MFT that meet or exceed HIPAA guidelines.
- Built-in certified encryption cipher suites which meet or exceed NIST 800-52 guidelines.
- Audit and logging mechanisms that can be used to help ensure proper file naming conventions and confidentiality of the ePHI processed through the MFT.
As with any decision involving HIPAA security, choosing an MFT should include input and requirements from your compliance representative, the IT and security administrators, and the business owner.