FTP Today provides every possible control so you can confidently state you have a HIPAA compliant FTP site.
If you plan on transmitting any PHI via FTP Today, you should be concerned about Physical Safeguards and Technical Safeguards. The physical safeguard requirements, as well as infrastructure security and administration requirements, are all met by our SSAE 16 audited data center.
In order to be HIPAA compliant, your FTP Software needs 9 important features:
- Access Control: Unique User Identification
- Access Control: Emergency Access Procedure
- Access Control: Automatic Logoff
- Access Control: Encryption & Decryption
- Audit Controls
- Integrity Policies
- Person or Entity Authentication
- Transmission Security: Integrity Controls
- Transmission Security: Encryption
Can you confidently say your current file sharing process has each of these features covered? Learn more by reading our guide on “Technical Safeguards for a HIPAA Compliant FTP Site”
Business Associate Agreement
HIPAA compliance is often measured by a service provider's willingness to sign a BAA, its adherence to guidance set forth in the HIPAA Security Rule or the Office for Civil Rights (OCR) HIPAA Audit Protocol, or standards like SSAE 16 Type II, or the results of a third-party compliance assessment or healthcare-specific security framework, such as HITRUST. There is no such thing as "HIPAA compliance" per se. There is only the exercise of a standard of due care against the rule.
Since FTP Today is a "data transmission organization" (a conduit for the transport of PHI) and does not access the information other than on a random or infrequent basis, it is exempted by definition from being a “business associate” per the HIPAA Standards for Privacy of Individually Identifiable Health Information and the Standards for Security of Electronic Protected Health Information. This exemption is published here (see page 7). A more concise reference to this conduit exemption can be found here.
Nonetheless, we understand the need for you to document responsibilities for protecting PHI with any of your vendors. FTP Today has drafted a Business Associate Agreement for this purpose that properly addresses our business relationship and the handling of any PHI that may be transported through our service. You can view the FTP Today Business Associate Agreement here.