Healthcare file sharing has rules other industries don’t. HIPAA requires specific protections for patient information. Here’s what that means for your file sharing choices.
What HIPAA Requires
HIPAA (Health Insurance Portability and Accountability Act) sets standards for protecting patient health information (PHI).
For file sharing, this means:
- Access controls (only authorized users)
- Encryption in transit and at rest
- Audit logs (who accessed what, when)
- Business Associate Agreements (BAAs) with vendors
- Data breach notification procedures
Regular File Sharing Won’t Work
Standard consumer services (WeTransfer, personal Dropbox) aren’t HIPAA-compliant. Using them for PHI is a violation, regardless of how secure they seem.
Why not:
- No Business Associate Agreements
- Limited audit capabilities
- Insufficient access controls
- Data stored in ways that don’t meet requirements
HIPAA-Compliant Options
Dedicated Healthcare Solutions
Box Healthcare: Purpose-built HIPAA compliance, BAAs available, full audit logs.
Virtru: Email and file encryption with HIPAA compliance and key management.
Paubox: Encrypted email designed for healthcare communications.
Enterprise Cloud with Compliance
Google Workspace (Healthcare edition): BAAs available, HIPAA compliance with proper configuration.
Microsoft 365 (Healthcare plans): BAAs, compliance tools, familiar interface.
Specialized Transfer Services
Citrix ShareFile: HIPAA-compliant file sharing with healthcare-specific features.
Tresorit: Swiss-hosted, zero-knowledge encryption, HIPAA compliance.
Encryption Requirements
HIPAA requires encryption but doesn’t specify exact standards. Industry practice:
In transit: TLS 1.2 or higher for all transfers
At rest: AES-256 encryption for stored files
End-to-end: Not required but provides additional protection
FileGrab Pro uses AES-256-GCM for end-to-end encryption, which exceeds HIPAA’s encryption expectations. However, FileGrab doesn’t currently offer BAAs, so it’s not suitable for PHI without additional arrangements.
Business Associate Agreements
If a service handles PHI on your behalf, you need a BAA. This contract makes them responsible for protecting that information.
Before using any service for PHI:
- Confirm they offer BAAs
- Sign the agreement before sharing PHI
- Keep records of all BAAs
No BAA = that service can’t handle your patient information, period.
Internal vs. External Sharing
Internal (Within Organization)
Use your existing HIPAA-compliant infrastructure:
- Encrypted internal drives
- Compliant cloud storage
- Secure email systems
External (With Patients, Other Providers)
More complex. Options:
- Patient portals (purpose-built for healthcare)
- HIPAA-compliant email encryption
- Secure file transfer with BAA-covered services
Practical Workflow
Sharing with Other Providers
- Verify receiving provider’s security measures
- Use HIPAA-compliant transfer method
- Encrypt files if transferring PHI
- Document the transfer for audit purposes
Sharing with Patients
- Use patient portal when possible (preferred)
- Encrypted email for one-off needs
- Explain security measures to patients
- Never use regular email for PHI
Emergency Situations
HIPAA allows some flexibility in emergencies, but:
- Document the emergency circumstances
- Use the most secure available method
- Follow up with proper documentation
What FileGrab Offers
FileGrab provides strong security features:
- End-to-end encryption (Pro)
- Password protection
- Link expiration
- Access controls
However, FileGrab currently doesn’t offer Business Associate Agreements, so it’s not suitable for sharing PHI that falls under HIPAA regulations.
For non-PHI medical files (administrative documents, non-patient data), FileGrab’s security features provide solid protection.
Choosing a Solution
Questions to ask:
- Do they sign BAAs?
- Where is data stored?
- What encryption do they use?
- What audit capabilities exist?
- What’s their breach history?
Red flags:
- No BAA available
- Unclear data location
- Vague security claims
- No audit logging
The Bottom Line
HIPAA compliance isn’t optional for healthcare organizations. Use purpose-built healthcare solutions for PHI. For everything else, standard security practices with encrypted services work.
When in doubt, consult your compliance officer or healthcare IT specialist before sharing any file that might contain patient information.