Home » Readers Write » Currently Reading:

Readers Write: File-Sharing And HIPAA – How You Can Keep Health Data Secure in an Era of Collaboration

April 3, 2019 Readers Write No Comments

File-Sharing And HIPAA – How You Can Keep Health Data Secure in an Era of Collaboration
By Tim Mullahy

Tim Mullahy is executive vice-president and managing director at Liberty Center One of Royal Oak, MI.

image

Collaboration is at the heart of modern workflows, and file sharing is at the core of collaboration. That’s as true in the health industry as it is anywhere else. The difference with healthcare, of course, is that the risks of doing file sharing improperly — of distributing files without due attention to security — are higher.

File-sharing and collaboration are necessary for effective patient care. Medical and support staff alike need to be able to openly and readily share patient data with one another, communicating seamlessly both within hospital environments and without. The problem, of course, is enabling such collaboration without violating HIPAA.

After all, Protected Health Information (PHI) is some of the most sensitive data in the world. The penalties, should it fall into the wrong hands, are rightly strict. That isn’t to say that enabling file-sharing is impossible,  just that it needs to be done while keeping a few things in mind.

Encrypt all files

Although HIPAA doesn’t mandate file encryption (it’s recommended, not required), encrypting all data both in-motion and at rest is critical if you’re going to ensure that your files can be shared securely. In the event that a device containing HIPAA is in some way compromised, encryption will ensure that the data it contains remains safe.

I’d advise that you use SSL encryption and use some form of VPN or secure tunnel to keep your files protected when they’re shared across external networks.

Assign unique IDs to all staff

Every user with access to your file-sharing and collaboration platform needs a unique identifier. In addition to being useful for the purposes of authentication, these IDs will allow you to track data access and usage. The idea is that you need to know what data each of them have accessed and what they’ve done with that data at any point in time.

Implement multi-factor authentication

Usernames and passwords are an important component of access control, but they represent only a partial solution. To keep both your files and the platforms through which staff collaborate secure, you’re going to want multiple means of ensuring people are who they say they are. These could include:

  • Biometric (fingerprint scanners, facial recognition, voice identification, retinal scanners)
  • Behavioral (common login locations, common access and browsing habits, etc.)
  • Hardware-based (device recognition, hardware tokens)

Implement auto-logoff

Here’s one directly from the HIPAA guidelines. Any file-sharing or collaboration solution you use needs to have a timeout process built in. After a set period of inactivity (10 to 15 minutes is probably a safe bet), an employee account should be automatically logged out. This protects against unauthorized access via unattended devices.

Ensure that all software is HIPAA-compliant

Last but certainly not least, for each collaboration solution you implement, check with the vendor to ensure that it complies with HIPAA’s regulatory guidelines. Most vendors that support HIPAA compliance will be open about it. Moreover, their solutions will provide full logging and auditing functionality, alongside all the other security controls necessary to stick to HIPAA.

HIPAA need not represent an obstacle to effective collaboration. Provided you incorporate a compliant solution and take all the necessary measures to keep your data safe, you can enable your clinicians, support staff, and everyone else who needs access to collaborate for better, faster patient care.

View/Print Text Only View/Print Text Only


HIStalk Featured Sponsors

     







Subscribe to Updates

Search


Loading

Text Ads


Report News and Rumors

No title

Anonymous online form
E-mail
Rumor line: 801.HIT.NEWS

Tweets

Archives

Vince Ciotti’s HIS-tory of Healthcare IT

Founding Sponsors


 

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

   

Gold Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reader Comments

  • Cosmos: During an inpatient stay at a Boston area teaching hospital, my wife was approached by a research assistant about enroll...
  • AlphaCodeJockey: Finally, CodeJockey has a incentive to play up issues with developing custom solutions for Epic's platform as improvemen...
  • DeltaCodeJockey: I'd also point out that Epic insiders are probably right to be touchy about this topic as they get flack publicly and li...
  • Gamma Code Jockey: Code Jockey's example of an IT form that ties into Epic's system is wrong though - you are allowed to do that and you ar...
  • Bravo Code Jockey: Code Jockey - thanks a tonne for persisting and for your rational and informed responses to a lot of name calling and mi...
  • Bill O'Toole: Confirming first hand that Cape Cod Hospital was MEDITECH's first customer. My father, the Chief of Pathology, saw the i...
  • FormerCIO: Re JAMA article. How will access to my EHR data help me 'shop for high value health care services' and 'avoid the need t...
  • CommentsTwoWeeksLate: I'd be really disappointed if the "de-identified" data set contained full birth dates or zip codes. That doesn't seem t...
  • Code Jockey: Mr. H - this is a response to 'Really' but I'm not sure how to respond to his post. Also, this is a note for both you an...
  • Clarence: From my experience 7 years as an Epic employee and then 4+ years integrating 3rd party clinical content/software into EH...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links