The Health Insurance Portability and Accountability Act (HIPAA) is a critical regulation designed to safeguard sensitive information within the healthcare sector. Established in the United States, HIPAA outlines specific rules for protecting patient data, which has led to the necessity of ensuring HIPAA compliance. For businesses operating in or serving the healthcare industry, adhering to these standards is essential to avoid legal repercussions and to build trust with clients and partners.
Here is our list of the best HIPAA compliant file sharing services:
- Files.com EDITOR’S CHOICE A cloud-based storage and distribution system that can have productivity software added to it. Start a 7-day free trial.
- Google Drive A HIPAA compliant file sharing system that has companion productivity tools included with it. This is a cloud-based system.
- ShareFile A cloud file storage system that can be integrated into an email system for easy, secure file distribution.
- Serv-U Managed File Transfer Server A file distribution system that is fully HIPAA-compliant.
- Tresorit A cloud-based file store and collaboration system that is fully HIPAA compliant and is G-Cloud 9 approved.
- Accellion Kiteworks A HIPAA compliant file sharing system with options to use a hosted file storage service or take the software for installation on-premises or on a private cloud.
- FTP Today A cloud storage provider that offers HIPAA compliant file sharing in its Premium plan.
At the heart of HIPAA compliance is the protection of personally identifiable information (PII) related to patients. Within the context of HIPAA, this type of data is referred to as protected health information (PHI). PHI encompasses a wide range of patient-related data, such as medical records, billing information, and treatment histories. When this information is stored or transmitted electronically, it is classified as ePHI (electronic protected health information). Businesses that manage or handle ePHI must implement stringent security measures to comply with HIPAA’s requirements.
It’s important to note that HIPAA compliance isn’t mandatory for all businesses working with the healthcare industry. The regulation applies specifically to entities that manage PHI or ePHI, including healthcare providers, insurers, and organizations involved in the financial or operational aspects of healthcare services in the U.S. However, businesses providing general services to the healthcare industry without handling PHI may not be subject to HIPAA regulations.
HIPAA is a U.S.-specific standard, meaning businesses operating in healthcare sectors outside the U.S. are not required to follow its guidelines. Nonetheless, maintaining strong data protection practices is universally beneficial.
This article delves into HIPAA-compliant file-sharing tools, exploring how they help organizations safeguard sensitive patient information while remaining compliant with this vital regulation.
HIPAA file sharing
You don’t need HIPAA compliance for all of your file actions. However, singling out HIPAA-sensitive data to channel through one file-sharing system and all other files through another would be a waste of time. Your HIPAA-compliant file-sharing system should be used for all of your data-sharing work.
Beyond HIPAA requirements, you need a range of functions from a file-sharing system. Cloud-based systems allow your team members to “send” files without actually moving them. Instead of attaching a file to an email, the sender includes a link in the email message. This enables the receiver to view the file without needing to make a copy. However, the option to let a recipient download the file should also be available.
File sharing services that create secure access by imposing encryption in the storage location protect files that might contain sensitive data from being accessed by outsiders. The file sharing mechanism should also keep a version history of the files, recording who made what changes to the document.
The most important features required in HIPAA compliant file sharing systems are that they allow control of access and track changes to documents.
The Best HIPAA compliant File Sharing Tools
In order to comply with HIPAA requirements when implementing file sharing, the managing application must include certain security and logging measures.
We took these requirements into account when looking for the best HIPAA compliant file sharing tools and came up with the following selection criteria:
- Uses unique user IDs to identify each accessor to documents with changes traceable to the accessor.
- Allows control over which user accesses each document and offers different levels of access rights.
- Protects files from tampering or illegal access through encryption at rest and during transmission and access security, preferably with an option for 2FA.
- Version control with backups that enable earlier versions to be recovered.
- The provider of the service is willing to provide a signed Business Association Agreement.
- Free version or free trial for a no-cost assessment.
- A price level that offers good value with respect to the level of functionality provided.
With these requirements in mind, we assessed the major file sharing services on the market today for suitability. When approaching the concept of “file sharing” there are actually two different strategies to cover. One is a collaboration suite that allows different people to edit the same document and the other is a file distribution system that doesn’t include a common editing function. We decided to explore both of these angles.
1. Files.com (FREE TRIAL)
Files.com is a cloud-based file distribution service, which operates as a HIPAA compliant file sharing system. Users move their files to the Files.com account and then send links to recipients instead of the actual file. Permissions on the file can be set up to allow access for reading or downloading.
Key Features:
- Cloud-mediate transfers: Get cloud storage space included
- Email monitoring: Strips out attachments, stores them, and replaces them with an access link in the email
- User accounts: Set up individual accounts for users
- Administrator controls: User accounts can be created and suspended centrally
Why do we recommend it?
Files.com is a secure cloud platform. It cuts down the amount of traffic winging around the internet, which reduces the amount of power used for file distribution, thus helping the planet. You upload files to the platform and then send out links for access. Recipients log into the Files.com server to view the file. You can then control what happens to your data, preventing copying and saving and blocking editing.
Reading a file in a browser requires the text to be transferred. However, this process is protected by HTTPS security. Downloads are also carried out over encrypted connections. You can also apply 2FA to all user accounts.
File storage space is fully encrypted and access to it requires user credentials. Each action on a file is recorded, noting the user account and a time stamp. Files.com is willing to provide a signed BAA to customers who follow the HIPAA standards.
The Files.com service can be used for instant backup of folders and syncing, allowing specific folders to be constantly available on the cloud in an up-to-date state.
Who is it recommended for?
Any business would benefit from the use of Files.com because it saves time, space, and money while also improving security. Keeping your sensitive data files within the control of your administrators makes privacy enforcement easier.
Pros:
- Automate transfers with synching: Use the platform to backup files from workstations
- Cloud drive option: Let users set their Files.com as default storage for productivity tools
- File sharing: Users can invite colleagues to access files
- Link invites: Eradicate file distribution
Cons:
- Short free trial: Only seven days for the trial
The Files.com service is charged for by subscription. The rate is calculated on a combination of the number of user accounts needed with an allocation of 1,000 GB for the entire multi-user account. It is possible to add connectivity through well-known cloud storage providers for backup and syncing. It is also possible to integrate the service with productivity suites, such as Google Workspace, and collaboration environments, such as Slack. You can get a Files.com account on a 7-day free trial.
EDITOR'S CHOICE
Files.com is our top pick for a HIPAA-compliant file sharing tool because it offers aan impressive set of features designed to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA regulations require that organizations handle sensitive healthcare data with strict security controls, and Files.com excels in providing these safeguards. Files.com includes end-to-end encryption for both data at rest and in transit, ensuring that PHI is protected from unauthorized access. The platform also offers granular access controls, enabling administrators to define who can access specific files and folders, and at what level. This helps ensure that only authorized personnel can view or edit sensitive data. Files.com features two-factor authentication (2FA), adding an extra layer of security to prevent unauthorized access. The Files.com system includes integrated features for audit logging and reporting, which are critical for compliance with HIPAA’s security rules. The tool tracks every action taken on files, from uploads and downloads to edits and deletions, making it easy to demonstrate compliance during audits. Moreover, Files.com supports data retention policies and file versioning, ensuring that files can be securely stored, retrieved, and managed according to HIPAA requirements. Another reason Files.com is our top pick is its user-friendly interface, which has a straightforward mechanism for teams to securely share, manage, and collaborate on sensitive documents. This ease of use combined with strong security features makes Files.com an excellent choice for organizations looking to meet HIPAA’s demanding standards while maintaining an efficient workflow.
Download: Get a 7-day free trial
Official Site: https://signup.files.com/signup/
OS: Cloud based
2. Google Drive
Google Drive is available for free with 15 GB of space for each user. However, a HIPAA compliant file sharing system requires a central administration of all user accounts and you need to subscribe to a business package in order to get that.
Key Features:
- Constant availability: All accounts are automatically backed up
- Easy transfers: Upload and download files through an interface menu
- Individual user accounts: Set up an account for each user
Why do we recommend it?
Google Drive is a great collaboration system because it is really a full set of productivity tools, not just a cloud file storage space. This platform enforces encryption on files at rest and removes the need to transfer files out. This is because colleagues can share files for editing and commenting without moving the data from Google Drive. You can invite outsiders to view a file by sending an access list.
Google Drive is included in Google Workspace (the new name for G-Suite). So, effectively, it isn’t possible to subscribe to just Google Drive because Google gives the productivity tools to all Google Drive customers for free.
The Workspace editor facilities and Google Drive itself have excellent version control functions, recording every alteration to a file and storing previous versions that can be brought back to the current version at any time.
Users share files by passing on a link. The sender can choose to set access rights for each user, allowing read-only access or full editing rights. It is also possible to allow or block downloading. The storage space is protected by encrypting as a transfer for viewing or downloading.
Who is it recommended for?
Google Drive is free for individuals, so small businesses will like this tool. It also cuts out the cost of buying Microsoft 365 because it includes a sequence of file editors that mirror the facilities in the MS package. Mid-sized and large organizations will rank Google Drive as a good option.
Pros:
- Eradicate file movements: Invite a colleague to share a file instead of sending a copy
- Access controls: Don’t lose control over your files by sending them outside the company, mail an access link instead
- Corporate controls: Files held on all of your subaccounts belong to the company, not to the users
Cons:
- Product capture: You get Google Workspace productivity tools bundled in for free
The cherry on the top for HIPAA compliance is that Google will provide a signed BAA for its business plan subscribers.
3. ShareFile
Citrix ShareFile is a cloud-based file storage service that has the right features to classify it as a HIPAA compliant file sharing system.
Key Features:
- HIPAA compliant: Suitable for managing PHI
- Provides a signed BAA: Necessary for hosting PHI on the platform
- Scans emails: Replaces attachments with an access link to the stored file
Why do we recommend it?
ShareFile from Citrix works in a similar way to the Files.com system in that you upload files to the ShareFile Cloud platform and then invite viewers by sending an access link. A plug-in for Outlook means that this tool is able to scan outgoing emails and strip out attachments. These files are automatically uploaded to the ShareFile system and replaced by an access link that points to the stored document.
ShareFile integrates easily with email systems and the mechanism to grant individual access to a document involves adding that person’s email address to a list of authorized viewers. There is an Outlook plug-in for ShareFile that makes integration easy.
Each user that accesses your ShareFile storage area needs to be given an individual account, which creates the accountability needed for HIPAA. The file space and transfers are protected by AES-256 encryption and users need to use a ShareFile app on the accessing device, which ensures end-to-end security and also allows device-linked 2FA.
Who is it recommended for?
ShareFile is not free, so small businesses would have to find a very good reason to choose this service over Google Drive. Mid-sized and large organizations should trial both this system and Files.com because both packages are equally suitable.
Pros:
- Encryption for transfers and storage: Protected with AES-256 encryption
- Desktop utility: Users access accounts through a secure portal
- eSignature facility: A built-in digital signature system
Cons:
- No productivity tools: Doesn’t rival the Google package
Actions on files are all logged and ShareFile also offers an eSignature facility that creates legally binding agreements. Citrix will also provide a signed BAA. You can try the ShareFile system on a 30-day free trial.
4. Serv-U Managed File Transfer Server
Serv-U is a specialist file transfer system that creates a secure environment for frequent file sharing. This software provider has ensured that its file transfer system checks all of the boxes to be HIPAA compliant.
Key Features:
- Multiple secure transfer protocols: SFTP, FTPS, and HTTPS
- On premises software: Host it on Windows Server or Linux
- Data privacy standards: Suitable for HIPAA, PCI DSS, and SOX
- Large file transfers: Up to 3GB in size
- Data processing possible: Integration with scripts
Why do we recommend it?
Serv-U Managed File Transfer Server is a great tool for moving files securely and it is compliant with HIPAA. This tool is also recommended for businesses that need to comply with PCI DSS, FISMA, SOX, and GDPR as well. This service provides SFTP, FTPS, and HTTPS options for secure file transfers and it provides scripted, scheduled transfers that can be integrated into processing workflows. The tool can also be used for on-demand file transfers.
This is an on-premises software package, which bucks the trend of moving everything to the cloud. Not everyone is comfortable with cloud services, especially where sensitive data is concerned. If you are particularly tasked with providing a file sharing system that is overwhelmingly for internal use then the logic of deploying a cloud service diminishes.
Serv-U Managed File Transfer Server (MFT) is positioned to cater to a number of compliance requirements. As well as HIPAA, it is compliant with PCI DSS and SOX. First of all, this is a secure file transfer system that offers an option of protocol, including FTPS, SFTP, and HTTPS. The system is able to transfer files to mobile devices as well as to desktops and servers. The system also logs all file movements, which provides essential documentation for compliance auditing.
Who is it recommended for?
The price of the Serv-U system might put small business owners off this product. However, it will appeal to mid-sized and large organizations. The ability to integrate secure file transfers into workflows opens up options for automated processes that provide data validation along with file movement.
Pros:
- Provides corporate control: No loss of control to cloud platforms
- Access through a Web browser: The console is Web-based
- Security options: Use SSH or TLS
- Task automation: Process files, transfer them, and then perform more processing
- Maintenance functions: Include processes to clear out target directories
Cons:
- Free trial only lasts 14 days: Most SolarWinds systems offer 30-day free trials
The Serv-U MFT software is available for Windows Server and Linux. It includes an attractive browser-based administration console and full file movement tracking. You can try the system out without risk on a 14-day free trial.
5. Tresorit
Tresorit is a HIPAA compliant file sharing cloud-based service that is G-Cloud 9 approved. This tool takes a slightly different approach to file security. It encrypts each file on the user’s device before it is transferred to the cloud storage space. This gives the files stored on the system individual protection rather than just account-wide encryption – which is applied additionally.
Key Features:
- Breach notification exemption: Files are individually encrypted so thieves cannot read them
- A BAA is available: Fulfills a HIPAA requirement
- Strong encryption: Protection for transfers and storage with AES-256 cipher
Why do we recommend it?
Tresorit provides HIPAA-compliant file movements that goes one step further than its rivals on this list when applying encryption. The Tresorit platform provides encryption for an account space. Like its rivals, Tresorit also encrypts each file individually to enforce access rights. What makes this system different is that it implements a persistent encryption system that applies to files on the devices of users at the point that an upload to the platform commences. That same encryption endures on the file when it is stored on the Tresorit system.
Once a file is on the Tresorit server, it can be accessed through any standard browser or the Tresorit apps for mobile devices. That file is permanently encrypted before it even gets onto the server. However, all transfers to devices for reading are also protected with additional encryption. Device identification provides a 2FA step and it is possible to block access from previously approved devices.
The standard way to share a file is to send the recipient a link to view the file in its Tresorit location rather than mailing it as an attachment. Permissions can be time-limited and they can also be permanently withdrawn. Users can be granted read-only access or editing rights. It is also possible to block downloads. All access events are logged.
Who is it recommended for?
Tresorit is a cloud-based subscription service and it is available in plans for individuals as well as businesses. These factors make the tool very appealing to small businesses. It is also good for mid-sized and large organizations. Businesses that have a geographically dispersed workforce or multiple sites would particularly benefit from the Tresorit system.
Pros:
- Access security: Deploys multi-factor authentication
- File sharing: Link access invites,
- Cloud-based system: Accessible from anywhere
Cons:
- No on-premises version: Cloud only
Tresorit provides a BAA to its business customers and you can test the system on a 14-day free trial.
6. Accellion Kiteworks
Accellion Kiteworks is termed a “content firewall.” It is a cloud platform that offers a range of data security services, including a HIPAA compliant file sharing system.
Key Features:
- Copy watermarking: Makes leaks traceable
- File access logging: Records the users who access files
- Secure access app: Users get a workstation portal or a mobile app for access
Why do we recommend it?
Accellion Kiteworks gives you two tools to control access to data when performing file sharing. One option is to upload the file to the Accellion cloud server storage space of your account and mail out access links. The access granted by these links can be controlled to prevent alteration, downloading, or text copying. The other option is to watermark digital documents so that if a copy turns up in the hands of an unauthorized person, you will know exactly who leaked it.
Kiteworks used a 256-bit AES cipher for file protection both in the storage drive and during transfers. The Kiteworks system has ISO 27001 certification and is validated to the FIPS 140-2 Level 1. Both the file owner and administrator receive notification of any access events on files and these all get logged in a central audit file.
The Kiteworks system offers shared folders for group use and private spaces for each user. Users are individually identified by user accounts and all file actions are logged. There is also a collaboration feature attached to the file viewers, which enables authorized accessors to communicate ideas about the content through commenting and messaging.
The administrator can choose to impose automatic watermarking on all files held in the system or the file owner can apply that per file on demand. The owner can also decide on the level of access that should be allowed to collaborators. And each downloaded version can be stamped for identification to aid data leak investigations.
Files held on Kiteworks can be accessed through an app or through a plug-in that integrates the file system with Microsoft 365 components, including Outlook.
Who is it recommended for?
The watermarking option makes this package very suitable for legal firms and other types of businesses that do actually need to send out copies of documents and can’t just rely on sharing access to cloud-hosted files.
Pros:
- BAA available: A Business Associate Agreement for HIPAA compliance
- Integration with Microsoft 365: Use productivity tools to save and edit files on the platform
- Sharing without copying: Invite access by sending a link
Cons:
- No free trial: Accellion offers a demo
Kiteworks is charged per user per month. Accellion offers a BAA for those customers that use the hosted service. There are also options to get the file management software and host it privately on-premises or on a cloud server. You can get a demo to examine the system.
7. FTP Today (rebranded to Sharetru)
FTP Today (rebranded to Sharetru) is a cloud-based secure file storage system that offers a number of plans. You need to get its Premium plan to ensure that you have a HIPAA compliant file sharing system. Although all of the FTP Today plans are secure and offer many features, the company only offers a signed BAA for HIPAA to its Premium plan customers.
Key Features:
- Continuous encryption: Files are encrypted individually for transfers and storage
- Secure datacenters: Certified to SOC 2
- Multi-factor authentication: The system has stringent user access controls
Why do we recommend it?
FTP Today is a cloud platform, just like all of the other options on this list except for Serv-U. What makes FTP Today a little different is that it includes an intrusion detection system to protect all of the data held on the FTP Today cloud server. This security service is managed by FTP Today technicians, so you don’t need to do anything to watch over it. The main method of secure file sharing is by emailing an access link.
The Premium plan of FTP Today adds on more access controls to the file storage accounts, which are already very secure. Those extra features include IP address restrictions to ensure that only authorized devices can access the file space plus multi-factor authentication. The Premium plan allows unlimited user accounts and access rights can be integrated into your Single Sign-On environment.
The Premium account gets 50 GB of storage space, which can be extended. That file space is protected by encryption and there is a choice of file transfer methods that can be used that includes SFTP, FTPS, FTPES, and SCP. The service uses 2048-bit RSA encryption for transfers and 128-bit AES encryption in the storage area.
The system comes with its own apps for user devices and these can be white-labeled for use by managed service providers. On the cloud, the file space is protected by a managed intrusion detection system that includes hacker blacklisting for extra protection. It is also possible to impose geo-fencing that automatically blocks access to users when they are outside of the USA.
Who is it recommended for?
The FTP Today service is suitable for all business types and sizes. However, its cloud location makes it particularly useful for multi-site operations and businesses that have a lot of remote workers.
Pros:
- A signed BAA: You need to opt for the Premium plan to get it
- The file owner retains control: Others are invited to access the file without getting a copy
- Secure file transfer protocols: SFTP, FTPES, FTPS, and SCP
Cons:
- Not the top encryption strength: Uses AES encryption with a 128-bit key, not the strongest available key length, which is 256 bits
The FTP Today system is certified under ISO 27001 and its data centers are SSAE18 SOC2 audited. It is possible to see a live demo version of the system. FTP Today is also available for a 14-day free trial but you have to contact the Sales Department to request it.
