Is WeTransfer HIPAA Compliant? The fast-growing Amsterdam-headquartered company provides one of the most popular file-sharing services in the world, utilized by both consumers and businesses alike.
Tens of millions of subscribers share billions of files each and every month using the highly secure service.
But the question remains – is WeTransfer HIPAA compliant?
We asked the same question of Dropbox earlier this year.
All healthcare providers in the US that deal with protected health information (PHI) must comply with the Health Insurance and Accountability Act (HIPAA), which has strict rules in place regarding the data storage services, file hosting and sharing services and the cloud backup and recovery solutions HIPAA covered entities use.
We concluded that Dropbox provides neither HIPAA compliant cloud storage nor HIPAA compliant data backup recovery out of the box – though, with careful configuration, it can be brought in line with HIPAA requirements.
In short, when it comes to Dropbox, it's a bit of a “yes and no” type answer.
Fortunately, when it comes to WeTransfer, the answer is clear cut.
So, Is WeTransfer HIPAA Compliant?
No. WeTransfer is not HIPAA compliant. Plain and simple.
Therefore, unfortunately WeTransfer is not a HIPPA compliant Dropbox alternative.
This means that HIPAA covered entities – i.e. healthcare providers, plans and clearinghouses – cannot use WeTransfer to share files containing PHI data.
WeTransfer confirms this on its website:
“Are you HIPAA compliant? We're not,” explains WeTransfer. “We are not HIPAA compliant because it focuses on medical data and our service was primarily built to cater to creative minds. Also, we have a global user base to cater to and it is proven to be quite difficult to make exceptions on a country-level. Since we are not bound by US laws, we aren't obliged to comply with HIPAA regulations.”
So, there you have it straight from the horse's mouth, folks. Is WeTransfer secure enough to be HIPAA compliant? No, it's not.
So, let's ask another question…
How Can HIPAA Covered Entities Remain HIPAA Compliant when Sharing Sensitive Files?
HIPAA compliant data transfers Must be done using secure sockets layer encryption to transfer patient data from one place to another.
PHI consists of all the data your organization holds on your patients that relate to their past, present or future health condition.
As well as health records and data pertaining to any medical services your patients have received or may receive, PHI also includes healthcare bill payment information, health insurance information and anything else that could be considered sensitive.
If that information is digital or stored in electronic format, it is known as ePHI, or electronic PHI.
Under HIPAA, organizations that store, handle and share files containing ePHI need to put three types of safeguards in place in order to protect it. These are:
- Administrative safeguards, which concern the policies and procedures your organization has in place to ensure the adequate management of ePHI protection.
- Physical safeguards, which concern restricting physical access (with security systems, etc.) to your premises, as well as any servers, computer equipment and mobile devices where ePHI is stored.
- Technical safeguards, which must protect ePHI via digital means, such as with user access controls, user authentication and data encryption.
While administrative and physical safeguards come down to your internal policies and procedures and physical building security, technical safeguards will in most cases concern the third-party file sharing services, data backup and recovery services and data storage solutions you utilize as well.
So, what should a HIPAA compliant file sharing service provide?
Encryption; In a File Sharing Service
Guidance from the Department of Health & Human Services (HHS) states that ePHI data must be encrypted both at rest and in transit in order to render the data “unusable, unreadable, or indecipherable to unauthorized individuals.”
In other words, encryption ensures that only authorized individuals can view sensitive files.
Though it doesn't prevent a hacker from attempting to access ePHI data, encrypting that data does mean that it will be of no use to the hacker in the event of a successful breach – precisely because it is encrypted.
As such, you must ensure you use an encrypted file sharing service to share company documents containing ePHI at your organization.
Encrypted file transfer means that your ePHI is protected from the moment it is sent to moment it is received and stored.
Access Controls and User Authentication
Further to multi layered encryption, you must also control who is accessing files and why they are attempting to do so.
For this reason, you need a file sharing service that grants every user on your network a unique user ID to ensure only authorized parties are accessing the solution and the files it protects.
The solution should also track user activity via their ID for compliance purposes.
In addition, two factor authentication should be used. This ensures that the person attempting to log in to the solution really is who they claim to be.
If a member of staff's login credentials are compromised, the multi-factor authentication safeguard provides an additional layer of security to verify the identity of the user and protect your data from would-be hackers.
HIPAA-Compliant Encrypted File Sharing from Central Data Storage
Though secure, consumer services like WeTransfer are not HIPAA compliant, meaning they are out of bounds for HIPAA covered entities.
Fortunately, there are alternative file sharing services that are HIPAA compliant by design.
Central Data Storage is one such solution.
As well as offering HIPAA compliant cloud backup, HIPAA compliant disaster recovery and HIPAA compliant data storage solutions for businesses, Central Data Storage is also a leading provider of HIPAA compliant encrypted file sharing solutions.