As a document management and storage service for businesses, eFileCabinet provide on-site and cloud storage. However, is the service appropriate for the healthcare sector? Does eFileCabinet adhere with HIPAA rules or will using it lead to HIPAA breaches?
Document management services permit bodies to carefully manage electronic documents and store them securely in one place. With large volumes of documents being created, such networks take the stress out of document management and can allow HIPAA covered bodies share documents including ePHI securely and avoid HIPAA breaches.
It is important to remember that there are lots of document management services available currently, but not all comply with HIPAA.
Security measures include the encryption of data on the move and at rest with 256-bit encryption. Sensitive data can be securely transmitted to with external-parties and remote workers via the company’s SecureDrawer feature. SecureDrawer allows files to be sent without having to send documents beyond the protection of the firewall. The files do not leave the eFileCabinet system and are accessed through a secure, encrypted portal.
eFileCabinet permits user and role-based permissions to be implemented in order to restrict access to sensitive information as well as control what users and user groups can do with documents including ePHI. Security measures can be set with varying levels of user authentication, from easy passwords to voice prints and facial recognition. Users are also automatically logged out after a duration of inactivity.
Automated file retention meets HIPAA integrity control requirements, data backups are completed and an audit trail is recorded with copies kept of user access, what users have done with documents, and whether files have been copied or downloaded.
Privacy and security measures are only one aspect of HIPAA compliance. Even with all appropriate safeguards set up, a document management system is not a ‘HIPAA compliant’ service unless a business associate agreement (BAA) has been completed with the service provider. By completing a BAA, the service provider is confirming they have put in place all appropriate controls to ensure data security and are aware of their duties in relation to HIPAA. eFileCabinet is willing to complete a BAA with HIPAA covered bodies and their business associates.
However, it is up to the covered body to ensure that all security measures made available through eFileCabinet to support HIPAA compliance are configured properly. Fail to set access controls correctly, for example, and HIPAA Rules would be breached.
eFileCabinet appears to have all the required security, access, and audit controls to ensure it can be used by healthcare groups in a manner that adheres with HIPAA Regulations. eFileCabinet will also complete a business associate agreement with HIPAA covered bodies and their business associates.
As long as a business associate agreement has been completed before the platform is used for storing or sending ePHI, eFileCabinet can be considered a HIPAA compliant document management sservice.