LNCtips.com: HIPAA Compliant File Transfers
Some legal nurse consultants swear by DropBox. Others use Google Drive or iCloud. While these cloud storage and file sharing services might be secure, are they secure enough to protect the protected health information (PHI) in medical records? Let's take a look at which cloud services are HIPAA compliant and which are not. And let's see the fees, if any, for different services
As an LNC, you're going to receive and/or send medical records electronically. With the advent of HITECH, the government incentivized healthcare providers to change from paper to electronic medical records. HITECH also requires HIPAA compliance, strict adherence to security measures for electronic records, and severe penalties for those who don't comply.
That's why it's important to know the ins and outs of the different types of cloud storage and file transfer sites. Below is a list of some of the most common sites. Prices refer to a single user. As a refresher on file sizes, a kilobyte (KB) is 1,024 bytes, a megabyte (MB) is 1,024 KB, a gigabyte (GB) is 1,024 MB, and a terabyte (TB) is 1,024 MB.
1) Box has a free plan that offers 10 GB of storage, but file transfers (uploads and downloads) are limited to 250 MB. Box is NOT compliant with HIPAA requirements, except for its pricey Enterprise or Elite plans.
2) DropBox is probably the biggest file sharing site. It's free for 2 GB of storage space. The maximum size of the file to be transferred must be less than 2 GB. DropBox is NOT HIPAA compliant. However, you can use Sookasa in conjunction with Dropbox; it costs $10 a month and the combination of the two meet HIPAA criteria.
3) Google Drive offers a large amount of storage - 15 GB for free. Google Drive limits the file size to 50 MB for transfers. The free version is NOT HIPAA compliant. However, there's a paid version that's compliant, which costs $5-$10 per month per user. However, it's a hassle to set up. Or you can use Sookasa with it.
4) Hightail is another popular file sharing site. The site offers 2 GB of space for free with a file size limit of 250 MB for transfer. According to a carefully worded statement by Hightail, it's HIPAA compliant. However, Hightail relies on the same type of encryption as Dropbox, which makes no claims of HIPAA compliance.
5) iCloud provides 5 GB of file storage space. However, iCloud does NOT meet the encryption requirements to keep PHI secure.
6) OneDrive has the same file storage capacity as Google Drive - 15 GB. Unlike Google Drive, you can transfer files in OneDrive that are huge - 10 GB. Like Google Drive, OneDrive is NOT HIPAA compliant. However, OneDrive for Business IS compliant; prices range from 1.99 per month to 6.99 per month for 100 GB to 1 TB of storage. The higher priced plan includes Office 365.
7) ShareFile is a business application, meaning there are no free accounts, just a free trial period. Prices start at $16 per month. ShareFile offers 100 GB of storage, and you can transfer files as large as 10 GB. ShareFile IS HIPAA compliant, making it a popular choice for law firms.
Selecting a cloud storage and file sharing service involves some decisions. If you're always on the receiving end of medical records, you won't need to purchase anything. Typically, the sender will provide you with a link to download the records. If you're the one sending records and you work on behalf of the defense, you must choose a service that is HIPAA compliant, which is probably going to involve spending money. Plaintiff law firms aren't subject to the same HIPAA requirements as defense firms.
If you're a sender, your next consideration involves the size of the files you'll be uploading. When it comes to medical records, this can be tricky to determine. For example, I looked at two PDF files that were each four pages. The size of one of the files was 3.5 KB and the other one was 360 KB. A medical records file of roughly 2400 pages was nearly 2 GB. I often work with records that contain 4,000 pages or more. If that's the case with you, it eliminates all the cloud services listed above except for ShareFile and OneDrive (which is not HIPAA compliant unless using the Business version), although the others have the capability of increasing the storage and file transfer capacity for additional fees.
As you know, electronic file transfers are now commonplace. Because of this, legal nurse consultants need to ensure that their cloud storage and file transfers meet HIPAA requirements.