HIPAA-Compliant File Sharing Workflow: A Checklist for SaaS

For any healthcare company, not being HIPAA-compliant may lead to embarrassing public incidents as well as hefty fines. However, even if a company doesn’t operate in the healthcare space directly but only acts as a SaaS vendor, chances are they must be HIPAA-compliant too, in order not to exclude a whole segment of potential customers.

So, what is HIPAA compliance? How can you ensure HIPAA compliance for your business? And how can you implement a HIPAA-compliant workflow? You’re about to find out.

What Is HIPAA Compliance?

What information does HIPAA protect?

What are the consequences of not being HIPAA-compliant?

For example, let’s say a hospital runs an app where patients can register accounts and upload or download their test results. If the hospital’s file sharing service isn’t HIPAA-compliant, the hospital itself is also in violation.

In the best-case scenario, the hospital will have to go through a review and then, within 30 days, fix the way they handle sensitive info. However, failure to comply with HIPAA can also result in civil or criminal penalties. The fines for civil violations range from $100 to $50,000 per violation and can reach up to $1,500,000 annually. As for criminal offenses (like when someone sells sensitive data), it may result in 10 years of imprisonment in addition to fines.

Organizing a HIPAA-Compliant Workflow for SaaS

  • Technical safeguards: In terms of using a cloud-based file system, this involves the actual steps taken to ensure that ePHI is secure and private. (You’ll find a complete technical checklist below.)
  • Physical safeguards: Even the most secure cloud storage won’t help if files can be easily accessed on a computer. Physical safeguards involve protecting buildings, computers, smartphones, and other forms of physical access. If you’re a SaaS provider, you likely use third-party services such as Google, AWS, or Uploadcare to host the data, so you can check this checkbox by signing a HIPAA Business Associate Agreement (BAA).
  • Administrative safeguards: This involves your organization’s policies and procedures regarding how PHI is handled, for example, your efforts concerning education and privacy training or shredding documents before discarding them.

As a SaaS file-sharing platform, Uploadcare helps individuals and businesses achieve HIPAA compliance by providing all the required technical safeguards in our services. As such, we’ll focus mainly on the technical safeguards from here on out, although all three categories play a critical role.

Technical Safeguards Checklist Explained

  • Access controls
  • Audit controls
  • Integrity controls
  • Transmission security

Below, you’ll find our descriptions of these elements; however, we highly encourage you also to explore the full Technical Safeguard documentation issued by the HHS.

1. Access controls

As a HIPAA-compliant service provider, you need to ensure the following mechanics for ePHI handling:

  • Unique User IDs: Each user should be identified using a unique ID so that you can set individual access control.
  • Emergency access procedures: There need to be instructions and practices in place on who accesses information during emergencies and how, for example during power or network interruptions.
  • Automated log-off: This safeguard prevents unauthorized access due to human carelessness. If an account is idle for a specific time, it will automatically be logged off the system and require re-authentication.
  • Encryption and decryption: Unauthorized users shouldn’t be able to access and view PHI. Only an authorized party with a secret key can convert the code into comprehensible data when information is encrypted.

In Uploadcare, for example, this is covered by authentication and authorization mechanics. Each customer must be identified and authorized before they can access non-public user data. You can also specify who can upload and download files, and for how long, by providing special tokens.

2. Audit controls

If we proceed with Uploadcare as an example, the audit controls are covered by logging all critical information system activity, which is available upon request.

3. Integrity controls

  • Non-technical (e.g., staff members who accidentally delete something)
  • Technical (e.g., software errors and failures that cause data corruption)

Just like with audit controls, the measures here include authorization. You need to identify all users who can access ePHI, and have an accurate audit trail that connects all actions performed with a user ID. Any unauthorized access or changes must be detected and prevented to maintain security.

Also, there must be a solution that corroborates the authenticity of ePHI. Again, the standard doesn’t provide which specific “electronic mechanisms” you should implement. Our advice here is to ensure that your monitoring activities allow you to identify any attempts to modify files and immediately prevent them. As for Uploadcare itself, it doesn’t allow users to modify any uploaded files, only create additional versions of them. If you need to, for example, resize an image, you’ll get a modified version, but the original file is intact and always accessible (unless you explicitly delete it).

4. Transmission security

  • Integrity controls (the input data should be the same as the output)
  • Encryption (the data should be indecipherable and unusable for any unauthorized party)

For example, Uploadcare servers (as well as all incoming and outgoing communications) are encrypted with the latest protocol versions (e.g., TLS 1.2+ for transfer). User interfaces are accessible only with HTTPS. It protects any data stored and sent between a server and a client, preventing criminals from reading and modifying any information transferred.

An Example of a HIPAA-Compliant File Workflow by Uploadcare

Uploadcare provides a HIPAA-compliant high-performance pipeline for uploading, processing, storing, and transmitting PHI with all the HIPAA safeguards built in. It ensures that you have a secure platform for managing files, complete with various user access controls and encryption at all levels. This compliance is backed up by a Business Associate Agreement that can be provided upon request.

Case study: How Supervision Assist integrated a “set-and-forget” HIPAA-compliant data flow

The team faced two challenges:

  • They needed to create a reliable HIPAA-compliant application to handle sensitive data.
  • They had limited development resources to do so.

“We can build internal tools, but we’ve been finding that the maintenance burden is just not worth it. We end up having to spend more time working on stuff that is not our application. So, we decided to implement a third-party tool, so that they can deal with that maintenance, and we can focus on our code.”

Maximillian Schwanekamp, CTO

Uploadcare’s HIPAA-compliant infrastructure took on the sensitive data management so Supervision Assist could focus on their business. By adopting a ready-made solution, the company saves at least 50 hours of dev work annually. In sheer person-hours alone, it was enough to justify the investment in a proprietary third-party tool.

Uploadcare’s reliable file hosting, backup, and content delivery network enables Supervision Assist’s users to seamlessly upload any type of media, including documents, images, audio, and video. The latter can be as big as 5 TB.

👉 Read the full case study


File system as a service for web and mobile apps