What Is HIPAA Compliance?
Healthcare Insurance Portability and Accountability Act (HIPAA) is a federal law that regulates how companies can access and use individually identifiable health information. This data is collectively defined as protected health information (PHI).
What Is Protected Health Information (PHI)?
PHI includes a person’s medical records, such as history, test and laboratory results, and other individually identifiable health information.
Who Needs to Comply with HIPAA?
Any company that has access to PHI must achieve and maintain HIPAA compliance.
What Is a HIPAA Covered Entity?
A covered entity is any entity that is a healthcare provider, provides a health plan or is a healthcare clearinghouse.
What Is a HIPAA Business Associate?
A business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity that involve access by the business associate to protected health information.”
What Is a HIPAA Business Associate Contract?
To ensure that their business associates also protect data that is considered PHI, the covered entities and its business associates must enter into contracts with their business associates. The contracts signify an understanding by the business associates that they are accessing PHI and understand and share the responsibilities that entails. The contracts define, clarify and limit the permissible uses and disclosures of PHI by the business associate.
What Are the Rules of HIPAA?
Privacy Rule
Regulates when a covered entity may disclose PHI without a patient’s express written authorization and when they cannot. If a covered entity discloses any PHI, it should take care to disclose the minimum amount of data necessary to achieve its purpose.
Security Rule
This rule requires covered entities and business associates to put technical, physical and administrative safeguards in place to keep data identified as PHI safe.
Enforcement Rule
Provides standards regarding compliance, investigation, monetary penalties and hearing procedures for HIPAA violations.
Breach Notification Rule
Requires business associates to notify covered entities if they know a data breach occurred. Additionally, covered entities must notify patients affected by a breach of PHI data.
Does Thru’s File Transfer Service Maintain HIPAA Regulations?
Thru’s managed file transfer (MFT) service has features that meet the following required implementation specifications. Thru’s features and functionality also meet several of the specifications noted as addressable in HIPAA’s Part 164 – Security and Privacy, 164.312 Technical Safeguards. To discuss the specifics of Thru’s compliance posture, please contact us »
HIPAA Regulation | Thru Functionality | Thru Feature |
Access Control§164.312 (a)(1)Prevent unauthorized access from users or software that do not have permissions. | Users of Thru are only able to access the software via a number of authentication methods. | Federated Identity Management OR Username/password Multi-factor authentication (MFA) |
| Single sign on (SSO) supported via the SAML protocol with your identity provider such as Microsoft AD Azure. | ||
| Users manually provisioned to use the application are provided a username and password with the option to add an addtional layer of authentication using mobile number and pin code. | ||
| Systems connecting to Thru via SFTP/FTPS clients require username, password and/or key and certificate authentication. | Username, password and/or key and certificate authentication | |
| Applications connecting to Thru via the API will have to authenticate with a token. | Token-based authentication | |
Unique User Identification§164.312 (a)(2)(i)Ensure each user can be singularly tracked. | Thru tracks every action of a user and records these events in Audit forever. This allows granular audits on historical users' activity, if required. For example, if a user receives a file sent securely from Thru, the audit will track the date, user and IP address of the sender and recipient. In addition, the acceptance statement for receiving the file is included in the audit report. | User-level audit |
Integrity§164.312 (c)(1)Prevent unauthorized access from users or software that do not have permission to view or access. | Access to the application is controlled via a number of authentication methods but there are also access controls within the application. | Role-based access control (RBAC) |
Person or Entity Authentication§164.312 (d)Provide electronic verification that ensures that the claimed identity of a user is accurate. | Authentication methods available in Thru, such as SSH keys, ensure the claimed ID of a user is accurate. | Multi-factor authentication (MFA) |
Learn more about HIPAA compliance for secure file transfer »
Secure File Transfer Overview
Thru helps you achieve end-to-end file security with measures to protect data in the cloud, application and network.
