HIPAA-Compliant File Sharing for Lawyers
Cloud-based file-sharing services like Dropbox, Box and Google Drive may help streamline the way we store and share sensitive documents, but they require an additional layer of security to ensure that confidential files stay safe.
Recently, I was chatting with a forensic psychiatrist who consults on criminal and civil cases. He told me that lawyers regularly send him clients’ medical records, sometimes 100+ page documents at a time, without protecting the information and preventing it from falling into the wrong hands.
The Health Insurance Portability and Accountability Act (HIPAA) requires that health records be strictly safeguarded, with security measures put in place to store and transmit electronic medical information. Lawyers who are not compliant with these rules could expose themselves to liability.
While HIPAA doesn’t specifically require encryption of files, if a file has been compromised — if a device containing electronic protected health information (ePHI) has been lost or stolen — the only way to avoid a HIPAA breach is to encrypt the files. Therefore, encryption has become a de-facto standard for preventing HIPAA breaches.
What the Cloud Is and Isn’t
Cloud computing allows data and applications to be stored externally — away from a user’s own physical hard drive or server — and then accessed on demand via the Internet. Web-based email services like Gmail and Hotmail store emails and attachments in the cloud, for example.
File-sharing services like Dropbox allow you to manage files in a more streamlined way in the cloud. You can sync documents across a number of devices so you can always access the most updated versions of files, no matter where you are working. If you make a change to a file on your laptop that change will show up later when you open the file on your desktop or mobile device, since all of the devices are synced to the same account.
The problem with unencrypted file sharing is similar to unprotected emails — except your vulnerability is multiplied by the number of mobile devices that hold confidential information. For example, if you use Dropbox to store important files on three different devices, then you have three times as many opportunities to lose one of those devices. In fact, lost or stolen devices account for more than 60 percent of HIPAA breaches.
When you share files you lose control of them the same way you do when you email them to someone. (Consider how the autofill feature in email can easily send proprietary information to the wrong person.)
There are cloud platforms that encrypt and protect data on their servers, and can ensure HIPAA compliance. The issue with file-sharing services like Dropbox and Google Drive, and with web mail services like Gmail, is that unencrypted copies of files are stored on all of your devices, increasing your exposure to a breach.
Making Data in the Cloud Secure
The good news is there are ways to make the cloud compliant with HIPAA, with a number of tools that seamlessly integrate encryption. Here’s a look at three different options, including one from my company.
Sookasa. Sookasa is an online service that automatically encrypts individual files shared and stored in Dropbox. When Dropbox synchronizes a file to multiple devices, it remains encrypted, anywhere it is stored. Sookasa audits and controls access to those files, meaning data can be blocked even if a device is lost or stolen. Sookasa also enables secure collaboration via web mail (for example, Gmail, Yahoo Mail and Outlook) by replacing unsecured attachments with links to encrypted files. The user must authenticate before opening the file, meeting the requirement to audit every access to ePHI.
Also, non-Sookasa users can upload files securely to Sookasa users, which is especially useful for collecting sensitive data from clients without requiring them to install special software.
TigerText. Regular SMS text messages on your phone aren’t compliant with HIPAA, but TigerText replicates the texting experience in a secure way. Instead of being stored on your phone, messages sent through TigerText are stored on the company’s servers, and messages sent through the application can’t be saved, copied or forwarded to other recipients.
TigerText messages are also deleted, either after a set time period or after they’ve been read. Because messages aren’t stored on the phones themselves a lost or stolen phone won’t result in a data breach.
DataMotion SecureMail. Email is still an extremely helpful tool for quickly sharing files. SecureMail makes it possible to do so securely. Using a decryption key, authorized users can open and read the encrypted emails, which are compliant with HIPAA. SecureMail provides detailed tracking and logging of emails, which is necessary for auditing purposes. It also works on mobile devices. (Note that email encryption products do not securely store and back up all files in a centralized way.)
There are many options for sharing and storing information through the cloud. No matter whether you are using a free service, or one designed specifically for the legal profession, adding a layer of security by encrypting sensitive files can ensure you are HIPAA compliant. That way, you have personally taken measures to protect your confidential files, above and beyond the protection afforded by cloud storage service providers.
Asaf Cidon is CEO and co-founder of Sookasa. Cidon is also a Stanford PhD candidate, specializing in mobile and cloud computing. He founded Sookasa with the mission of allowing businesses to control their data securely via the cloud.