HIPAA-compliant file sharing & cloud storage
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This federal law mandates security and privacy protections for Protected Health Information (PHI), as well as rules regarding patient access to medical records.
HIPAA has evolved since it was passed to account for some emerging technology and modern threats to privacy. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened the civil and criminal enforcement of HIPAA, and it addressed privacy and security concerns of sharing health information electronically. In 2013, the final HIPAA Omnibus rule enhanced patients' privacy rights and protections, including holding all custodians of PHI accountable for the same privacy and security requirements.
HIPAA compliance: key terms
Protected Health Information (PHI) is individually identifiable information that relates to a patient's medical or psychological condition, provision of medical services, or payments for medical services (past, present, or future). PHI also includes common identifiers like patient name, address, Social Security number, and birthdate.
Covered entities include all health organizations that create, receive, or transmit PHI. Hospitals, doctors, clinics, and other healthcare providers that are considered "covered entities" are responsible for complying with HIPAA and HITECH.
The HIPAA Privacy Rule establishes standards for protecting PHI. Under the Privacy Rule, healthcare providers must have appropriate safeguards in place to protect personal health information, and providers must set limits on the use and disclosure of PHI.
The HIPAA Security Rule defines safeguards that providers must use to protect and manage access to PHI. Under the Security Rule, healthcare providers must:
- Ensure the confidentiality, integrity, and availability of PHI they create, receive, transmit, or maintain
- Identify and protect against threats to their PHI
- Protect against improper uses or disclosures of PHI
- Ensure workforce compliance with HIPAA rules
- Review and modify security measures to protect PHI as the environment changes
The HIPAA Breach Notification Rule requires healthcare providers to notify affected patients, Health and Human Services, and sometimes the media if unsecured PHI is breached. Most notifications must be disclosed within 60 days of discovering the breach (although there are exceptions for breaches that affected fewer than 500 people).
What HIPAA compliance means for healthcare providers
Trust is paramount in the healthcare industry. HIPAA sets the federal standard for patient security and privacy, and violations can result in civil fines, criminal penalties, and damage to a healthcare provider's reputation.
Securing PHI is business-critical—but some argue it's harder than ever. Healthcare providers must contend with incredibly sophisticated threats and attempted data breaches. In addition, more organizations are adopting Bring Your Own Device (BYOD) policies, which make it more difficult—and even more important—to secure PHI across platforms and devices.
The healthcare industry is becoming far more mobile, collaborative, information-driven, and customer-facing. Maintaining HIPAA compliance is essential, but choosing the right data security and storage tools can make all the difference.
Box for healthcare: HIPAA-compliant cloud storage
The Box platform and associated products has been compliant with HIPAA, HITECH, and the final HIPAA Omnibus rule since November 2012. All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud.
Box continuously updates products, policies, and procedures to ensure continuous HIPAA compliance. Box has also been evaluated by a third-party auditor, who issued a report affirming that Box has controls in place to meet HIPAA requirements for privacy and data security.
Box ensures HIPAA compliance through several important features and organizational policies:
- Data encryption (both in transit and at rest)
- Restricted physical access to production servers
- Strict logical system access controls
- Reporting and audit trail of account activities (on both users and content)
- Training of employees on security policies and controls
- Highly restricted employee access to customer data files
- Mirrored, active-active data center facilities to mitigate disaster situations
Healthcare organizations of all sizes and specialties trust Box to protect sensitive patient information and maintain HIPAA compliance. It is important to note, however, that healthcare organizations are responsible for configuring Box in a HIPAA-compliant manner and for enforcing organizational policies to meet HIPAA requirements.
“Box is the perfect repository for information — not only communicating information back and forth, but housing information in a secure and compliant way, organizing it, and using it to create the proper regulatory documentation. Box has changed my day-to-day function as a physician by giving me instant access to the most current information to help me take care of my patients."
Dr. Joseph Ducey, VP of Business Development, Providence Anesthesiology Associates
"I think St. Joseph Health is pioneering a changing care model. We’re going from that ‘fix me when I’m broken’ care model to a far more proactive model. It’s our job to offer innovation in as secure a way as we can."
David Baker, Vice President of IT, St. Joseph Health