An FTP or File Transfer Protocol server is a standard communication protocol used to transfer files between computer systems. However, not all FTP servers are created equally. Some are HIPAA compliant, while others are not. When using an FTP server to send files containing patient protected health information (PHI), it is essential that the product you are using is HIPAA compliant. Are you using a HIPAA compliant FTP server? Find out what to look for and some examples of HIPAA compliant FTP services.
What Does a HIPAA Compliant FTP Server Look Like?
Traditional FTPs were not built with security in mind and are not HIPAA compliant. This is because the technology relies on outdated authentication protocols – plain-text usernames and passwords – and lacks encryption. However, secure file transfer protocol (SFTP) enables encryption, making some SFTPs HIPAA compliant. While encryption is certainly crucial for HIPAA compliant secure FTP, there are other compliance considerations.
- Does the service provider enable two-factor authentication?
- Can access controls be implemented on a per-user basis?
- Are audit logs available?
- Can you implement IP blacklists and whitelists?
- Does the service provider sign business associate agreements (BAAs)?
If the answer to any of these questions is no, the service is likely not HIPAA compliant.
It is important to note that even when a service can answer yes to each of the above questions, HIPAA compliance largely depends on how the service is used. Administrators must be sure that the platform is configured correctly in accordance with the law, that they have a signed BAA with the service provider prior to use, and that employees are trained on how to use the platform properly.
Examples of HIPAA Compliant FTP Services
So now you know what to look for when choosing an FTP server. But rather than dig through provider websites and scanning their terms of use and security protocols, we’d like to make things easier for you by providing a list of a few HIPAA compliant FTP servers you can use.
- HIPAA Vault: this server requires two-factor authentication for file access, enables end-to-end encryption (E2EE), offers access controls, and enables IP blacklisting.
- Files.com: (Premier Plan ONLY) offers two-factor authentication, E2EE, and access controls.
- Cerberus FTP Server: offers access controls, audit logging, and encryption.
- FTP Today: offers user authentication, audit logging, encryption, and access controls.
Each of the HIPAA compliant FTP services listed above is good choice, but users should examine what is most important for their business. A product appropriate for one company isn’t necessarily suitable for another. Some of these products are charged on a per-user basis, while others offer a flat fee. Depending on how many users you need and the amount of data sent, the right choice for your business will differ. For instance, HIPAA Vault’s starter service includes up to 25 users, while Files.com requires a minimum of 25 users and is charged per user.
