HIPAA Compliance and Citrix ShareFile

ShareFile was purchased by Citrix Systems during 2011 and the service is offered as a suitable data sync, file sharing, and collaboration service for the healthcare sector. it is vitally important for anyone considering using it to consider HIPAA Compliance and Citrix Fileshare.

It is a safe file sharing, data storage and collaboration service that permits large files to be easily sent within a company, with remote workers, and with external partners. The solution permits any authorized person to instantly obtain stored documents via desktops and mobile devices.

For healthcare groups this means the solution can be used to send large files such as DICOM pictures with researchers, remote healthcare staff and business associates. The ShareFile patient portal can also be used to send PHI to relevant patients.

Citrix is happy to complete a business associate agreement with HIPAA covered bodies and their business associates that covers using FileShare, although it is the responsibility of the covered body to make sure that the solution is set up correctly and is used in a manner that does not breach HIPAA Rules.

The solution meets HIPAA requirements for data security, with appropriate access and authentication measures. Users connect to the solution via an encrypted secure SSL/TLS connection and data is secured at rest with AES 256-bit encryption. The solution also allows encryption on mobile devices. An audit trail is kept with access logs recording who obtained files, when, and for how long and application errors and events are also recorded.

The safeguards included into the solution mean the solution does adhere to HIPAA regulations. So, in essence,  Citrix ShareFile can be deemed as HIPAA compliant.

Many firms promote their services as HIPAA compliant, but that does not mean use does not carry dangers. Software solution supplierrs can only build in security and administrative measures that permit their solution to be used in a HIPAA compliant way. It is the duty of users to ensure the solution is set up properly and HIPAA Rules are not breached.

To prevent HIPAA breaches occurring:

  • Be certain a business associate agreement has been signed before the solution being used for storing, syncing, or sending ePHI
  • Covered bodies must complete a risk analysis to find any possible dangers to the confidentiality, integrity, and availability of patient data
  • Ensure encryption is  n place when sending files to external entities
  • Policies and processes (administrative security measures) must be developed incorporating the use of the solution and staff must be educated
  • Access and authentication measures must be set to prevent access to PHI to only those people who are permitted to access data
  • Any PHI sent to external parties must be restricted to the minimum necessary data for tasks to be completed
  • Appropriate security measure should be put in place on devices to ensure that in case of theft or loss, the devices cannot be used to obtain PHI

Citrix offers training for covered bodies with regard to HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA is being adhered with while using the service.

Author: Security News