Is WeTransfer HIPAA compliant? The fast-growing Amsterdam-headquartered company provides one of the most popular file-sharing services in the world, utilized by both consumers and businesses alike.
But the question remains – is WeTransfer HIPAA compliant?
We asked the same question of Dropbox earlier this year.
All healthcare providers in the US that deal with protected health information (PHI) must comply with the Health Insurance and Accountability Act (HIPAA), which has strict rules in place regarding the data storage services, file hosting and sharing services and the cloud backup and recovery solutions HIPAA covered entities use.
We concluded that Dropbox provides neither HIPAA compliant cloud storage nor HIPAA compliant data backup recovery out of the box – though, with careful configuration, it can be brought in line with HIPAA requirements.
In short, when it comes to Dropbox, it’s a bit of a “yes and no” type answer.
Fortunately, when it comes to WeTransfer, the answer is clear cut.
So, Is WeTransfer HIPAA Compliant?
No. WeTransfer is not HIPAA compliant. Plain and simple.
Therefore, unfortunately WeTransfer is not a HIPPA compliant Dropbox alternative.
WeTransfer confirms this on its website:
“Are you HIPAA compliant? We’re not,” explains WeTransfer. “We are not HIPAA compliant because it focuses on medical data and our service was primarily built to cater to creative minds. Also, we have a global user base to cater to and it is proven to be quite difficult to make exceptions on a country-level. Since we are not bound by US laws, we aren’t obliged to comply with HIPAA regulations.”
So, there you have it straight from the horse’s mouth, folks. Is WeTransfer secure enough to be HIPAA compliant? No, it’s not.
So, let’s ask another question…
How Can HIPAA Covered Entities Remain HIPAA Compliant when Sharing Sensitive Files?
HIPAA compliant data transfers Must be done using a secure, encrypted connection to transfer patient data from one place to another.
PHI consists of all the data your organization holds on your patients that relate to their past, present or future health condition.
As well as health records and data pertaining to any medical services your patients have received or may receive, PHI also includes healthcare bill payment information, health insurance information and anything else that could be considered sensitive.
If that information is digital or stored in electronic format, it is known as ePHI, or electronic PHI.
- Administrative safeguards, which concern the policies and procedures your organization has in place to ensure the adequate management of ePHI protection.
- Physical safeguards, which concern restricting physical access (with security systems, etc.) to your premises, as well as any servers, computer equipment and mobile devices where ePHI is stored.
- Technical safeguards, which must protect ePHI via digital means, such as with user access controls, user authentication and data encryption.
While administrative and physical safeguards come down to your internal policies and procedures and physical building security, technical safeguards will in most cases concern the third-party file sharing services, data backup and recovery services and data storage solutions you utilize as well.
So, what should a HIPAA compliant file sharing service provide?
Encryption
Though it doesn’t prevent a hacker from attempting to access ePHI data, encrypting that data does mean that it will be of no use to the hacker in the event of a successful breach – precisely because it is encrypted.
Encrypted file sharing means that your ePHI is protected from the moment it is sent to moment it is received and stored.
Access Controls and User Authentication
Further to encryption, you must also control who is accessing files and why they are attempting to do so.
The solution should also track user activity via their ID for compliance purposes.
In addition, multi-factor authentication should be used. This ensures that the person attempting to log in to the solution really is who they claim to be.
If a member of staff’s login credentials are compromised, the multi-factor authentication safeguard provides an additional layer of security to verify the identity of the user and protect your data from would-be hackers.
HIPAA-Compliant Encrypted File Sharing from WisperMSG
Though secure, consumer services like WeTransfer are not HIPAA compliant, meaning they are out of bounds for HIPAA covered entities.
Fortunately, there are alternative file sharing services that are HIPAA compliant by design.
WisperMSG is one such solution.
Try WisperMSG free for 7 days here.