ShareFile

HIPAA Support

Overview

Important:

For HIPAA Audit Reports and Compliance, visit the ShareFile Trust Center for more information.

The Health Insurance Portability and Accountability Act of 1996, or “HIPAA,” is a U.S. federal law that required the creation of national standards to protect patient health information. This includes, for example, obligations around the confidentiality and security of such data.

ShareFile supports these obligations when storing and sharing data, and provides various tools to supplement a customer’s compliance efforts under HIPAA. However, it is the customer’s responsibilty to configure and operate its ShareFile environment appropriately. Additionally, ShareFile is not a substitute for a customer’s broader compliance obligations. Customers must have their own an adequate HIPAA program, along with appropriate processes and controls to ensure compliance throughout their organization.

Adding ShareFile with HIPAA Support

ShareFile with HIPAA support is available only with a ShareFile Premium, VDR, Industry Advantage Account. Additionally, customers must accept the ShareFile Business Associate Agreement (BAA). In such case, ShareFile operates as a “Business Associate” of customer, generally a “Covered Entity.” For more information on these roles, visit The U.S. Dept. of Health and Human Services.

Accepting the Business Associate Agreement

New accounts

A ShareFile customer’s administrator can enable HIPAA and accept the BAA by following the given steps below:

  1. Login to ShareFile Account. Then go to Settings > Admin Settings > Admin Overview.

    HIPPA 1

  2. From the Admin Overview, select Enable HIPAA and the Warning and Notes page is displayed.

    HIPPA 2

    HIPPA 3

  3. Click the Checkbox to enable the option BAA and click the Enable button to continue.

    HIPPA 4

  4. The Success message is displayed on the top right corner. HIPPA 5

Existing accounts

Once a ShareFile account is converted to a Premium, VDR or an Industry Advantage Account with HIPAA support, administrators can click on Admin Setting -> Admin Overview page, within their ShareFile account. A statement regarding BAA acceptance will be highlighted where the BAA can be reviewed and accepted directly within the account.

Administrators can access and review their executed ShareFile BAA at any time via the same Admin Overview page.

HIPAA Features

Upon in-product acceptance of the ShareFile BAA, customers can immediately feel confident using ShareFile to process protected health information (PHI) in the HIPAA-supported version of their ShareFile account. Not only do world-class security measures come standard in our products, ShareFIle also automatically adjusts various features to help support customer’s enhanced obligations under HIPAA.

  • Public share links - To prevent customers from inadvertently sharing PHI publicly, this feature is disabled. Administrators may enable this feature.

  • Co-edit with Microsoft - This feature requires customer data to be transferred to your Microsoft environment. ShareFile does not have an agreement with Microsoft and cannot control what happens to your data once it leaves ShareFile’s system. Administrators may enable this feature.

  • 3rd Party integrations and connectors - This feature requires customer data to be transferred to your environment which is hosted by a third party provider of the integration or connector. ShareFile does not have an agreement any third party providers of integrations or connectors, and cannot control what happens to your data once it leaves ShareFile’s system. Administrators may enable this feature.

  • Notifications - Activity notifications (view/download/upload) will not include the file name went sent via email. This is to prevent sharing of PHI that may be inadvertently contained in a file name. Such notifications will include the file type extension (ex: .doc, .pdf)

Additionally, the following products are not supported for HIPAA product plans:

  • On Prem or “Self-hosted” - ShareFile does not have access to PHI when customers deploy an on-premises version of the product. For this reason, ShareFile cannot act a business associate of the customer.

  • Customer Managed Encryption Key for Cloud Storage - ShareFile does not have direct access to PHI where product encryption keys are maintained by the customer. For this reason, ShareFile cannot act a business associate of the customer.

  • Request Lists - This feature is not currently supported for HIPAA accounts.

  • Custom Workflows - This feature is not currently supported for HIPAA accounts.

HIPAA Support