HIPAA complaince
Moderator: Project members
-
noface0711
- 504 Command not implemented
- Posts: 7
- Joined: 2016-03-13 10:15
- First name: Richard
- Last name: Franklin
HIPAA complaince
A client is asking if Filezilla is HIPAA compliant. The posts I see regarding this are 2 years old and older. Is Filezilla HIPAA compliant
Re: HIPAA complaince
I'm not qualified to answer this question. Please hire somebody specialized in evaluating HIPAA compliance.
Re: HIPAA complaince
This has come up in another topic as well.
Typically e-PHI would be accessed thru the EMR/EHR and that would have the proper credentialing and permissions.
Any EMR/EHR would also be required to be HIPAA compliant in the first place.
So I am curious as to why would you want to put e-PHI on an FTP server versus use the existing EMR/EHR system?
(What is the use case here?)
Additionally, HIPAA compliance is pretty complex but also flexible and it very much depends on the "Site" and the site's prescribed method for being in compliance with HIPAA. If your client is asking you if FileZilla is compliant, and you are "posting" that question, it implies that your client thinks you are the expert. I would advise caution if your client is wanting to put e-PHI on an FTP server.
It begs the question as to "why do this?"
Whether or not FZ is HIPAA compliant will depend on your client's HIPAA documented methods for compliance.
Usually that includes password protected access for authorized individuals only and encryption for e-transmission. Both of which FZ supprts AFAIK.
You can look here for more specifics:
http://www.hhs.gov/hipaa/for-profession ... gulations/
and
http://www.hhs.gov/hipaa/for-profession ... gulations/
If you are really serious, you ought to read the actual federal law.
And whether or not client's specific site documentation and the process it uses meets the HIPAA standard will be a matter for the attorney(s).
Just to point out that medical offices etc should (are required to) have a HIPAA compliance officer that can help answer these questions as well.
So, somewhere... in that mound of documents there should be either a vague or specific requirement for how your e-transmission of e-PHI should be handled... and by following that, you should (if the doc is HIPAA compliant) be HIPAA compliant.
(Which is to say, that if the "client" had an attorney review the document or purchased one of the presumably HIPAA compliant packages (which ultimately must be customized anyway)... then presumably, the docs are compliant. Whether or not that is in fact truly HIPAA compliant is sort of a legal sticky issue, because you would need some legal authority to review the canned docs)
PS, the requirement "scales" according to the "covered entity’s size and resources."
How that occurs is not clear, but if your client is a big multi-practice or hospital or bigger you can be pretty sure you need to take extra steps to ensure that the PHI remains secure.
Ultimately, I would advice that you or your client consult an attorney to make sure you are following the law.
And... seriously, consider why its necessary to place PHI on an FTP server in the first place.
Typically e-PHI would be accessed thru the EMR/EHR and that would have the proper credentialing and permissions.
Any EMR/EHR would also be required to be HIPAA compliant in the first place.
So I am curious as to why would you want to put e-PHI on an FTP server versus use the existing EMR/EHR system?
(What is the use case here?)
Additionally, HIPAA compliance is pretty complex but also flexible and it very much depends on the "Site" and the site's prescribed method for being in compliance with HIPAA. If your client is asking you if FileZilla is compliant, and you are "posting" that question, it implies that your client thinks you are the expert. I would advise caution if your client is wanting to put e-PHI on an FTP server.
It begs the question as to "why do this?"
Whether or not FZ is HIPAA compliant will depend on your client's HIPAA documented methods for compliance.
Usually that includes password protected access for authorized individuals only and encryption for e-transmission. Both of which FZ supprts AFAIK.
You can look here for more specifics:
http://www.hhs.gov/hipaa/for-profession ... gulations/
and
http://www.hhs.gov/hipaa/for-profession ... gulations/
If you are really serious, you ought to read the actual federal law.
And whether or not client's specific site documentation and the process it uses meets the HIPAA standard will be a matter for the attorney(s).
Just to point out that medical offices etc should (are required to) have a HIPAA compliance officer that can help answer these questions as well.
So, somewhere... in that mound of documents there should be either a vague or specific requirement for how your e-transmission of e-PHI should be handled... and by following that, you should (if the doc is HIPAA compliant) be HIPAA compliant.
(Which is to say, that if the "client" had an attorney review the document or purchased one of the presumably HIPAA compliant packages (which ultimately must be customized anyway)... then presumably, the docs are compliant. Whether or not that is in fact truly HIPAA compliant is sort of a legal sticky issue, because you would need some legal authority to review the canned docs)
PS, the requirement "scales" according to the "covered entity’s size and resources."
How that occurs is not clear, but if your client is a big multi-practice or hospital or bigger you can be pretty sure you need to take extra steps to ensure that the PHI remains secure.
Ultimately, I would advice that you or your client consult an attorney to make sure you are following the law.
And... seriously, consider why its necessary to place PHI on an FTP server in the first place.
Re: HIPAA complaince
An example of a use case might be if your client is a Lab that wants to deliver Lab Results to a recipient folder at a medical provider's office.
The EMR would then check the folder periodically to determine if new results were present.
The EMR would then check the folder periodically to determine if new results were present.