Where HIPAA Covered Entities Must Be Careful
Many firms promote their platforms and software as HIPAA compliant, but that does not mean use does not come without risks. Software solution providers can only build in security and administrative controls that allow their solution to be implemented in a HIPAA compliant manner. It is the responsibility of users to make sure the solution is configured correctly and HIPAA Rules are not breached.
To prevent avoid HIPAA breaches:
- Make sure a business associate agreement has been completed before to the solution being used for storing, syncing, or sharing ePHI
- Covered entities must finish a risk analysis to identify any potential risks to the confidentiality, integrity, and availability of PHI
- Ensure encryption is active when sending files to third parties
- Policies and processes (administrative safeguards) must be created covering the use of the solution and staff must be trained
- Access and authentication controls must be set to control access to PHI and make if available only for those individuals who are authorized to access information
- Any PHI sent with third parties must be restricted to the minimum necessary data for tasks to be finished
- Proper security controls should be implemented on devices to ensure, should they be stolen or lost, the devices cannot be used to obtain access to PHI
Citrix provides guidance for covered entities on aspects of HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA compliance while using the platform. The information can be seen here.