HIPAA Compliant file sharing solution.

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,367
I spoke with a potential new client today, they are in the medical field and and she made it very clear that moving forward she want's to shift everything into HIPAA compliance. They have 4 local locations and 3 locations out of state. They bring clients into a residential home the company owns and they provide temporary support and therapy to those patients.

Their current management system is a HIPAA compliant web based client management system, but they need a way to share files (Docs, PDFs, etc.) outside of how they are currently sharing files which is via email or through google docs. There are some documents they cannot share due to google docs not being HIPAA compliant.

Initially I thought about getting them setup with a HIPAA compliant cloud server they could RDP into and share files that way since they have multiple locations, however, 98% of their computers are company owned, or personally owned iMac's or Mac Laptops. I have a strong feeling that pulling them out of a Mac environment and tossing them into a Windows based cloud server to share files wouldn't sit well with them.

Anyone have any ideas as to how Mac's can share random files safely and with HIPAA compliance standards?
 
The starting point for HIPAA compliance is signed BAA's. So you need to get that done for yourself as well.

One Drive for Business is HIPAA compliant. Personally I sell mine through Appriver and know they will provide a BAA to the customer. Since they have OS X and Windoze clients the workstation is not a problem. But you also need to have the workstations using FDE since they will be holding these files. OS X is not problem as File Vault FDE comes with everything since 10.7 or so.

The real problem is BYOD. Personally owned devices need to also be monitored and encrypted. I seem to remember that BYOD is a big no-no in the HIPAA world. My few HIPAA customers understand this and only put that data on devices they know they can control. I know @YeOldeStonecat has a lot of experience with HIPAA so maybe he'll shed some more light on this.

Almost forgot. Is their email HIPAA compliant?
 
Markverhyden said:
The starting point for HIPAA compliance is signed BAA's. So you need to get that done for yourself as well.

One Drive for Business is HIPAA compliant. Personally I sell mine through Appriver and know they will provide a BAA to the customer. Since they have OS X and Windoze clients the workstation is not a problem. But you also need to have the workstations using FDE since they will be holding these files. OS X is not problem as File Vault FDE comes with everything since 10.7 or so.

The real problem is BYOD. Personally owned devices need to also be monitored and encrypted. I seem to remember that BYOD is a big no-no in the HIPAA world. My few HIPAA customers understand this and only put that data on devices they know they can control. I know @YeOldeStonecat has a lot of experience with HIPAA so maybe he'll shed some more light on this.

Almost forgot. Is their email HIPAA compliant?
Click to expand...


The conversation we had was mainly a very quick meeting over the phone, so I do not know the status of their email, MX lookup shows Google Apps ... The vibe I get is that she is too busy/disorganized and once she realizes just how out of compliance they are and how much money it's going to cost she will probably disappear.... Just a feeling ...
 
thecomputerguy said:
The conversation we had was mainly a very quick meeting over the phone, so I do not know the status of their email, MX lookup shows Google Apps ... The vibe I get is that she is too busy/disorganized and once she realizes just how out of compliance they are and how much money it's going to cost she will probably disappear.... Just a feeling ...
Click to expand...

Yeah, I've had those as well. But much depends on what's happening on their side that you may not know about initially. Had one that turns out he had a survey he had to self-certify he was compliant for Mass Health. Something like 80% of his managed care revenue. Another dental office the Dr could have cared less but her husband panicked when their malpractice underwriter started asking questions about HIPAA compliance.

Which leads me to a common pitch I make about being HIPAA compliant. If a breach happens and the underwriter does an audit, pretty certain if a claim is made, and they find the practice is not even close to being compliant the underwriter may tell them to take a hike.
 
thecomputerguy said:
..., however, 98% of their computers are company owned, or personally owned iMac's or Mac Laptops. I have a strong feeling that pulling them out of a Mac environment and tossing them into a Windows based cloud server to share files wouldn't sit well with them.
Click to expand...

You've got to have them make a decision about "company owned mixed with employee owned".
Next..."How do they work with the files?" Are all the computers/laptops located IN the half dozen office locations? Or are there mobile users doing stuff like home visits or visits at nursing homes? What kind of work do they need to do with files?

If you have mobile users with laptops, doing visits...you have 2x choices. if ANY data is stored locally on them...you have to encrypted them, FDE. Can become expensive and chew up hard drives. I have a Hospice client....we converted all laptops to be just basically thin clients, RDP through their TSGateway server to the terminal server. No software at all on the laptops, not even MS Office. Just my RMM software and antivirus. Zero data kept on them. So no need to encrypt them.

If you put a cloud sync product on them..they'll have data...so have to encrypt them. Think about HDD size too..when it comes to syncing cloud storage. A health care place, with medical records, client case folders, ...can get to some huge storage. Might reconsider that and just do a big terminal server. Keep the data off the laptops/workstations.
 
I'm tired as heck so I'm rambling incoherently...but, I like having an independent IT assessment company come in and run a security assessment/audit and then give me my action list to do for my client. I won't do an assessment/audit myself...I stay neutral.
 
You must log in or register to reply here.

Similar threads

Metanis
[REQUEST] Recommending a backup solution.
Replies
8
Views
222
Sky-Knight
Sky-Knight
Blue House Computer Help
One Drive personal - Shared folder - no option to "Add to my OneDrive"
Replies
10
Views
494
britechguy
britechguy
HCHTech
QBO is NOT HIPAA-compliant
Replies
6
Views
666
callthatgirl
callthatgirl
HCHTech
Hot-Desking setup
Replies
0
Views
543
HCHTech
HCHTech
Metanis
[WARNING] Network sharing credentials broke this morning.
Replies
2
Views
532
Diggs
Diggs
Back
Top