The Health Insurance Portability and Accountability Act or HIPAA lays down stipulations over the protection of sensitive data in the healthcare sector. This gives rise to the concept of HIPAA compliance. If you want to get business in the health sector, you need to ensure that you protect certain types of information held on your system.
HIPAA compliance isn’t necessary if you provide services to the healthcare industry. It is only concerned with Personally Identifiable Information (PIA) related to patients. Within HIPAA terminology, PII is known as PHI, which stands for “protected health information.” You might also see this referred to as ePHI, where the “e” denotes “electronic” and refers to digitally stored data. The HIPAA regulation extends to the healthcare insurance sector and there are many points of entry into the finance and implementation of healthcare that might involve PIA.
One more point to make about the need for HIPAA compliance is that it only relates to patients in the USA. If your business is engaged in the healthcare sector in any other part of the world, you don’t need to work within the HIPAA standards.
Here is our list of the best HIPAA compliant file sharing services:
- Serv-U Managed File Transfer Server EDITOR’S CHOICE A file distribution system that is fully HIPAA-compliant. This is an on-premises package that runs on Windows Server or Linux and comes with a 14-day free trial.
- Files.com (FREE TRIAL) A cloud-based storage and distribution system that can have productivity software added to it. Start a 7-day free trial.
- Google Drive A HIPAA compliant file sharing system that has companion productivity tools included with it. This is a cloud-based system.
- ShareFile A cloud file storage system that can be integrated into an email system for easy, secure file distribution.
- Tresorit A cloud-based file store and collaboration system that is fully HIPAA compliant and is G-Cloud 9 approved.
- Accellion Kiteworks A HIPAA compliant file sharing system with options to use a hosted file storage service or take the software for installation on-premises or on a private cloud.
- FTP Today A cloud storage provider that offers HIPAA compliant file sharing in its Premium plan.
HIPAA file sharing
You don’t need HIPAA compliance for all of your file actions. However, singling out HIPAA-sensitive data to channel through one file-sharing system and all other files through another would be a waste of time. Your HIPAA-compliant file-sharing system should be used for all of your data-sharing work.
Beyond HIPAA requirements, you need a range of functions from a file-sharing system. Cloud-based systems allow your team members to “send” files without actually moving them. Instead of attaching a file to an email, the sender includes a link in the email message. This enables the receiver to view the file without needing to make a copy. However, the option to let a recipient download the file should also be available.
File sharing services that create secure access by imposing encryption in the storage location protect files that might contain sensitive data from being accessed by outsiders. The file sharing mechanism should also keep a version history of the files, recording who made what changes to the document.
The most important features required in HIPAA compliant file sharing systems are that they allow control of access and track changes to documents.
The Best HIPAA compliant File Sharing Tools
In order to comply with HIPAA requirements when implementing file sharing, the managing application must include certain security and logging measures.
We took these requirements into account when looking for the best HIPAA compliant file sharing tools and came up with the following selection criteria:
- Uses unique user IDs to identify each accessor to documents with changes traceable to the accessor.
- Allows control over which user accesses each document and offers different levels of access rights.
- Protects files from tampering or illegal access through encryption at rest and during transmission and access security, preferably with an option for 2FA.
- Version control with backups that enable earlier versions to be recovered.
- The provider of the service is willing to provide a signed Business Association Agreement.
- Free version or free trial for a no-cost assessment.
- A price level that offers good value with respect to the level of functionality provided.
With these requirements in mind, we assessed the major file sharing services on the market today for suitability. When approaching the concept of “file sharing” there are actually two different strategies to cover. One is a collaboration suite that allows different people to edit the same document and the other is a file distribution system that doesn’t include a common editing function. We decided to explore both of these angles.
1. Serv-U Managed File Transfer Server (FREE TRIAL)
Serv-U is a specialist file transfer system that creates a secure environment for frequent file sharing. This software provider has ensured that its file transfer system checks all of the boxes to be HIPAA compliant.
Key Features:
- Multiple secure transfer protocols: SFTP, FTPS, and HTTPS
- On premises software: Host it on Windows Server or Linux
- Data privacy standards: Suitable for HIPAA, PCI DSS, and SOX
- Large file transfers: Up to 3GB in size
- Data processing possible: Integration with scripts
Why do we recommend it?
Serv-U Managed File Transfer Server is a great tool for moving files securely and it is compliant with HIPAA. This tool is also recommended for businesses that need to comply with PCI DSS, FISMA, SOX, and GDPR as well. This service provides SFTP, FTPS, and HTTPS options for secure file transfers and it provides scripted, scheduled transfers that can be integrated into processing workflows. The tool can also be used for on-demand file transfers.
This is an on-premises software package, which bucks the trend of moving everything to the cloud. Not everyone is comfortable with cloud services, especially where sensitive data is concerned. If you are particularly tasked with providing a file sharing system that is overwhelmingly for internal use then the logic of deploying a cloud service diminishes.
Serv-U Managed File Transfer Server (MFT) is positioned to cater to a number of compliance requirements. As well as HIPAA, it is compliant with PCI DSS and SOX. First of all, this is a secure file transfer system that offers an option of protocol, including FTPS, SFTP, and HTTPS. The system is able to transfer files to mobile devices as well as to desktops and servers. The system also logs all file movements, which provides essential documentation for compliance auditing.
Who is it recommended for?
The price of the Serv-U system might put small business owners off this product. However, it will appeal to mid-sized and large organizations. The ability to integrate secure file transfers into workflows opens up options for automated processes that provide data validation along with file movement.
Pros:
- Provides corporate control: No loss of control to cloud platforms
- Access through a Web browser: The console is Web-based
- Security options: Use SSH or TLS
- Task automation: Process files, transfer them, and then perform more processing
- Maintenance functions: Include processes to clear out target directories
Cons:
- Free trial only lasts 14 days: Most SolarWinds systems offer 30-day free trials
The Serv-U MFT software is available for Windows Server and Linux. It includes an attractive browser-based administration console and full file movement tracking. You can try the system out without risk on a 14-day free trial.
EDITOR'S CHOICE
Serv-U Managed File Transfer Server is our top pick for a HIPAA compliant file sharing tool because it offers maximum control over where copies of files go and protects all transmissions. This is an on-premises solution that is ideal for system managers who feel uncomfortable about contracting out file management services or storing sensitive data on third-party cloud servers. As storage of the files remains in-house, there is no need for a BAA (Business Associate Agreement) with the software provider.
Download: Get 14 days free trial
Official Site: https://www.serv-u.com
OS: Windows Server or Linux
2. Files.com (FREE TRIAL)
Files.com is a cloud-based file distribution service, which operates as a HIPAA compliant file sharing system. Users move their files to the Files.com account and then send links to recipients instead of the actual file. Permissions on the file can be set up to allow access for reading or downloading.
Key Features:
- Cloud-mediate transfers: Get cloud storage space included
- Email monitoring: Strips out attachments, stores them, and replaces them with an access link in the email
- User accounts: Set up individual accounts for users
- Administrator controls: User accounts can be created and suspended centrally
Why do we recommend it?
Files.com is a secure cloud platform. It cuts down the amount of traffic winging around the internet, which reduces the amount of power used for file distribution, thus helping the planet. You upload files to the platform and then send out links for access. Recipients log into the Files.com server to view the file. You can then control what happens to your data, preventing copying and saving and blocking editing.
Reading a file in a browser requires the text to be transferred. However, this process is protected by HTTPS security. Downloads are also carried out over encrypted connections. You can also apply 2FA to all user accounts.
File storage space is fully encrypted and access to it requires user credentials. Each action on a file is recorded, noting the user account and a time stamp. Files.com is willing to provide a signed BAA to customers who follow the HIPAA standards.
The Files.com service can be used for instant backup of folders and syncing, allowing specific folders to be constantly available on the cloud in an up-to-date state.
Who is it recommended for?
Any business would benefit from the use of Files.com because it saves time, space, and money while also improving security. Keeping your sensitive data files within the control of your administrators makes privacy enforcement easier.
Pros:
- Automate transfers with synching: Use the platform to backup files from workstations
- Cloud drive option: Let users set their Files.com as default storage for productivity tools
- File sharing: Users can invite colleagues to access files
- Link invites: Eradicate file distribution
Cons:
- Short free trial: Only seven days for the trial
The Files.com service is charged for by subscription. The rate is calculated on a combination of the number of user accounts needed with an allocation of 1,000 GB for the entire multi-user account. It is possible to add connectivity through well-known cloud storage providers for backup and syncing. It is also possible to integrate the service with productivity suites, such as Google Workspace, and collaboration environments, such as Slack. You can get a Files.com account on a 7-day free trial.
3. Google Drive
Google Drive is available for free with 15 GB of space for each user. However, a HIPAA compliant file sharing system requires a central administration of all user accounts and you need to subscribe to a business package in order to get that.
Key Features:
- Constant availability: All accounts are automatically backed up
- Easy transfers: Upload and download files through an interface menu
- Individual user accounts: Set up an account for each user
Why do we recommend it?
Google Drive is a great collaboration system because it is really a full set of productivity tools, not just a cloud file storage space. This platform enforces encryption on files at rest and removes the need to transfer files out. This is because colleagues can share files for editing and commenting without moving the data from Google Drive. You can invite outsiders to view a file by sending an access list.
Google Drive is included in Google Workspace (the new name for G-Suite). So, effectively, it isn’t possible to subscribe to just Google Drive because Google gives the productivity tools to all Google Drive customers for free.
The Workspace editor facilities and Google Drive itself have excellent version control functions, recording every alteration to a file and storing previous versions that can be brought back to the current version at any time.
Users share files by passing on a link. The sender can choose to set access rights for each user, allowing read-only access or full editing rights. It is also possible to allow or block downloading. The storage space is protected by encrypting as a transfer for viewing or downloading.
Who is it recommended for?
Google Drive is free for individuals, so small businesses will like this tool. It also cuts out the cost of buying Microsoft 365 because it includes a sequence of file editors that mirror the facilities in the MS package. Mid-sized and large organizations will rank Google Drive as a good option.
Pros:
- Eradicate file movements: Invite a colleague to share a file instead of sending a copy
- Access controls: Don’t lose control over your files by sending them outside the company, mail an access link instead
- Corporate controls: Files held on all of your subaccounts belong to the company, not to the users
Cons:
- Product capture: You get Google Workspace productivity tools bundled in for free
The cherry on the top for HIPAA compliance is that Google will provide a signed BAA for its business plan subscribers.
4. ShareFile
Citrix ShareFile is a cloud-based file storage service that has the right features to classify it as a HIPAA compliant file sharing system.
Key Features:
- HIPAA compliant: Suitable for managing PHI
- Provides a signed BAA: Necessary for hosting PHI on the platform
- Scans emails: Replaces attachments with an access link to the stored file
Why do we recommend it?
ShareFile from Citrix works in a similar way to the Files.com system in that you upload files to the ShareFile Cloud platform and then invite viewers by sending an access link. A plug-in for Outlook means that this tool is able to scan outgoing emails and strip out attachments. These files are automatically uploaded to the ShareFile system and replaced by an access link that points to the stored document.
ShareFile integrates easily with email systems and the mechanism to grant individual access to a document involves adding that person’s email address to a list of authorized viewers. There is an Outlook plug-in for ShareFile that makes integration easy.
Each user that accesses your ShareFile storage area needs to be given an individual account, which creates the accountability needed for HIPAA. The file space and transfers are protected by AES-256 encryption and users need to use a ShareFile app on the accessing device, which ensures end-to-end security and also allows device-linked 2FA.
Who is it recommended for?
ShareFile is not free, so small businesses would have to find a very good reason to choose this service over Google Drive. Mid-sized and large organizations should trial both this system and Files.com because both packages are equally suitable.
Pros:
- Encryption for transfers and storage: Protected with AES-256 encryption
- Desktop utility: Users access accounts through a secure portal
- eSignature facility: A built-in digital signature system
Cons:
- No productivity tools: Doesn’t rival the Google package
Actions on files are all logged and ShareFile also offers an eSignature facility that creates legally binding agreements. Citrix will also provide a signed BAA. You can try the ShareFile system on a 30-day free trial.
5. Tresorit
Tresorit is a HIPAA compliant file sharing cloud-based service that is G-Cloud 9 approved. This tool takes a slightly different approach to file security. It encrypts each file on the user’s device before it is transferred to the cloud storage space. This gives the files stored on the system individual protection rather than just account-wide encryption – which is applied additionally.
Key Features:
- Breach notification exemption: Files are individually encrypted so thieves cannot read them
- A BAA is available: Fulfills a HIPAA requirement
- Strong encryption: Protection for transfers and storage with AES-256 cipher
Why do we recommend it?
Tresorit provides HIPAA-compliant file movements that goes one step further than its rivals on this list when applying encryption. The Tresorit platform provides encryption for an account space. Like its rivals, Tresorit also encrypts each file individually to enforce access rights. What makes this system different is that it implements a persistent encryption system that applies to files on the devices of users at the point that an upload to the platform commences. That same encryption endures on the file when it is stored on the Tresorit system.
Once a file is on the Tresorit server, it can be accessed through any standard browser or the Tresorit apps for mobile devices. That file is permanently encrypted before it even gets onto the server. However, all transfers to devices for reading are also protected with additional encryption. Device identification provides a 2FA step and it is possible to block access from previously approved devices.
The standard way to share a file is to send the recipient a link to view the file in its Tresorit location rather than mailing it as an attachment. Permissions can be time-limited and they can also be permanently withdrawn. Users can be granted read-only access or editing rights. It is also possible to block downloads. All access events are logged.
Who is it recommended for?
Tresorit is a cloud-based subscription service and it is available in plans for individuals as well as businesses. These factors make the tool very appealing to small businesses. It is also good for mid-sized and large organizations. Businesses that have a geographically dispersed workforce or multiple sites would particularly benefit from the Tresorit system.
Pros:
- Access security: Deploys multi-factor authentication
- File sharing: Link access invites,
- Cloud-based system: Accessible from anywhere
Cons:
- No on premises version: Cloud only
Tresorit provides a BAA to its business customers and you can test the system on a 14-day free trial.
6. Accellion Kiteworks
Accellion Kiteworks is termed a “content firewall.” It is a cloud platform that offers a range of data security services, including a HIPAA compliant file sharing system.
Key Features:
- Copy watermarking: Makes leaks traceable
- File access logging: Records the users who access files
- Secure access app: Users get a workstation portal or a mobile app for access
Why do we recommend it?
Accellion Kiteworks gives you two tools to control access to data when performing file sharing. One option is to upload the file to the Accellion cloud server storage space of your account and mail out access links. The access granted by these links can be controlled to prevent alteration, downloading, or text copying. The other option is to watermark digital documents so that if a copy turns up in the hands of an unauthorized person, you will know exactly who leaked it.
Kiteworks used a 256-bit AES cipher for file protection both in the storage drive and during transfers. The Kiteworks system has ISO 27001 certification and is validated to the FIPS 140-2 Level 1. Both the file owner and administrator receive notification of any access events on files and these all get logged in a central audit file.
The Kiteworks system offers shared folders for group use and private spaces for each user. Users are individually identified by user accounts and all file actions are logged. There is also a collaboration feature attached to the file viewers, which enables authorized accessors to communicate ideas about the content through commenting and messaging.
The administrator can choose to impose automatic watermarking on all files held in the system or the file owner can apply that per file on demand. The owner can also decide on the level of access that should be allowed to collaborators. And each downloaded version can be stamped for identification to aid data leak investigations.
Files held on Kiteworks can be accessed through an app or through a plug-in that integrates the file system with Microsoft 365 components, including Outlook.
Who is it recommended for?
The watermarking option makes this package very suitable for legal firms and other types of businesses that do actually need to send out copies of documents and can’t just rely on sharing access to cloud-hosted files.
Pros:
- BAA available: A Business Associate Agreement for HIPAA compliance
- Integration with Microsoft 365: Use productivity tools to save and edit files on the platform
- Sharing without copying: Invite access by sending a link
Cons:
- No free trial: Accellion offers a demo
Kiteworks is charged per user per month. Accellion offers a BAA for those customers that use the hosted service. There are also options to get the file management software and host it privately on-premises or on a cloud server. You can get a demo to examine the system.
7. FTP Today (rebranded to Sharetru)
FTP Today (rebranded to Sharetru) is a cloud-based secure file storage system that offers a number of plans. You need to get its Premium plan to ensure that you have a HIPAA compliant file sharing system. Although all of the FTP Today plans are secure and offer many features, the company only offers a signed BAA for HIPAA to its Premium plan customers.
Key Features:
- Continuous encryption: Files are encrypted individually for transfers and storage
- Secure datacenters: Certified to SOC 2
- Multi-factor authentication: The system has stringent user access controls
Why do we recommend it?
FTP Today is a cloud platform, just like all of the other options on this list except for Serv-U. What makes FTP Today a little different is that it includes an intrusion detection system to protect all of the data held on the FTP Today cloud server. This security service is managed by FTP Today technicians, so you don’t need to do anything to watch over it. The main method of secure file sharing is by emailing an access link.
The Premium plan of FTP Today adds on more access controls to the file storage accounts, which are already very secure. Those extra features include IP address restrictions to ensure that only authorized devices can access the file space plus multi-factor authentication. The Premium plan allows unlimited user accounts and access rights can be integrated into your Single Sign-On environment.
The Premium account gets 50 GB of storage space, which can be extended. That file space is protected by encryption and there is a choice of file transfer methods that can be used that includes SFTP, FTPS, FTPES, and SCP. The service uses 2048-bit RSA encryption for transfers and 128-bit AES encryption in the storage area.
The system comes with its own apps for user devices and these can be white-labeled for use by managed service providers. On the cloud, the file space is protected by a managed intrusion detection system that includes hacker blacklisting for extra protection. It is also possible to impose geo-fencing that automatically blocks access to users when they are outside of the USA.
Who is it recommended for?
The FTP Today service is suitable for all business types and sizes. However, its cloud location makes it particularly useful for multi-site operations and businesses that have a lot of remote workers.
Pros:
- A signed BAA: You need to opt for the Premium plan to get it
- The file owner retains control: Others are invited to access the file without getting a copy
- Secure file transfer protocols: SFTP, FTPES, FTPS, and SCP
Cons:
- Not the top encryption strength: Uses AES encryption with a 128-bit key, not the strongest available key length, which is 256 bits
The FTP Today system is certified under ISO 27001 and its data centers are SSAE18 SOC2 audited. It is possible to see a live demo version of the system. FTP Today is also available for a 14-day free trial but you have to contact the Sales Department to request it.