Q) Is GlobalSCAPE's Secure FTP Server HIPAA compliant?
A) HIPAA has no specific requirements for software or technologies used by healthcare or related organizations. HIPAA compliance applies to the organization or entity as a whole, and includes measures for:
Standardization of electronic patient health, administrative and financial data.
Unique health identifiers for individuals, employers, health plans and health care providers.
Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.
see this HIPAA Primer.
GlobalSCAPE Secure FTP Server can play a role in a HIPAA compliant organization, provided you configure and use the Server properly.
1. Are ONLY Secure Connections (SSL or SFTP) enabled?
2. Is a secure FTP client, such as CuteFTP Professional being used to connect to the server?
3. Is data integrity checking turned on in both the client and server?
4. Is logging turned on and configured to rotate at timely intervals?
5. Are the rotated logs being regularly backed up and if necessary, encrypted?
6. Once the data is transferred to the server securely, is it necessary to store the data in an encrypted form? (Using a 3rd party tool, such as PGP).
GlobalSCAPE's Secure FTP Server is only a small part of a much larger picture in achieving HIPAA compliance. GSFTPS provides all the necessary protection mechanisms needed to secure electronic data exchange over FTP, and provides data integrity checking options. However, an administrator may accidentally turn off security in the product, disable data integrity checking, or even turn off transaction logging, all of which are a necessary part of protecting confidential data and keeping an audit trail.
Effective processes and individuals who manage the processes and underlying technology determine whether GSFTPS can play a role in HIPAA compliance.
The main area GSFTPS plays a role is in secure data transfers. GSFTPS contains high levels of security, including 128 bit SSL transfer and One Time Password authentication methods. GSFTPS must be used with a secure client in order to accomplish secure transfers. CuteFTP Professional currently supports all security methods available in GSFTPS, including the powerful data integrity feature, which fits in nicely with HIPAA data integrity requirements.
An excerpt from the HIPAA Primer:
"The Security standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. It applies not only to the transactions adopted under HIPAA, but to all individual health information that is maintained or transmitted. However, the Electronic Signature standard applies only to the transactions adopted under HIPAA."
"The Security Standard does not require specific technologies to be used; solutions will vary from business to business, depending on the needs and technologies in place. Also, no transactions adopted under HIPAA currently require an electronic signature."
also see: The General HIPAA FAQ.
Q) "Who must comply with HIPAA?"
A) "All healthcare providers, health plans, payers, clearinghouses, and other entities that process health data must comply. "
"Any healthcare provider that electronically sends one of the transactions covered in the Final Rules (Claims, remittances, claim status inquiries, eligibility, certification) is covered by HIPAA. Any organization that electronically stores or transmits individually identified healthcare information must comply with the Security regulation. So, if the organization does any of the above (file a claim electronically or electronically store any healthcare info that can be tracked back to an individual) they must comply with the appropriate HIPAA regulation"
Q) "Since the regulations frequently refer to "electronic" communication, what media falls into that category?"
A) "HIPAA applies to all communication that is stored or transmitted electronically, or that has been stored or transmitted electronically in the past. Media includes, but is not limited to, computer databases, tapes, disks, telecommunications, FAX, Internet, networks."
Here are more details from the security section of HIPAA's site:
Q) "What are the main requirements of the Security Standards?"
A) "There are four areas of requirements: information systems security, requiring the protection of all affected computers and data from compromise or loss; physical security, requiring protection of all buildings, facilities and assets from compromise or threat; audit trail, requiring keeping audit trails of access to patient identifiable information; and digital signature/data encryption, requiring transmissions to be authenticated and protected from observation or change."
You can read more about HIPAA compliance at the following locations: