Citrix ShareFile & HIPAA Compliance

Citrix ShareFile is a safe file sharing, data storage and collaboration service that allows large files to be easily shared within a company, with remote workers, and with outside partners. The solution allows any authorized individual to instantly access stored documents through desktops and mobile devices.For healthcare groups this means the solution can be used to share large files such as DICOM images with experts, remote healthcare workers, and business associates. The ShareFile patient portal can also be used to send PHI to patients.Citrix will complete a business associate agreement with HIPAA covered entities and their business associates that includes the use of FileShare, although it is the responsibility of the covered entity to ensure that the solution is configured properly and is used in a manner that does not violate HIPAA Rules.The solution meets HIPAA requirements for data security, with appropriate access and authentication controls. Users log on to the solution via an encrypted secure SSL/TLS connection and data is protected at rest with AES 256-bit encryption. The solution also allows encryption on mobile devices. An audit trail is maintained with access logs recording who accessed files, when, and for how long and application mistakes and events are also logged.

Where HIPAA Covered Entities Must Be Careful

Many firms promote their platforms and software as HIPAA compliant, but that does not mean use does not come without risks. Software solution providers can only build in security and administrative controls that allow their solution to be implemented in a HIPAA compliant manner. It is the responsibility of users to make sure the solution is configured correctly and HIPAA Rules are not breached.

To prevent avoid HIPAA breaches:

  • Make sure a business associate agreement has been completed before to the solution being used for storing, syncing, or sharing ePHI
  • Covered entities must finish a risk analysis to identify any potential risks to the confidentiality, integrity, and availability of PHI
  • Ensure encryption is active when sending files to third parties
  • Policies and processes (administrative safeguards) must be created covering the use of the solution and staff must be trained
  • Access and authentication controls must be set to control access to PHI and make if available only for those individuals who are authorized to access information
  • Any PHI sent with third parties must be restricted to the minimum necessary data for tasks to be finished
  • Proper security controls should be implemented on devices to ensure, should they be stolen or lost, the devices cannot be used to obtain access to PHI

Citrix provides guidance for covered entities on aspects of HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA compliance while using the platform. The information can be seen here.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes