Resource Center

Data Security and HIPAA Compliance in Mid-sized Healthcare Organizations

The 21st century is facing an uphill battle for better data security, and the healthcare industry is at the front lines. Healthcare providers deal with tremendous amounts of sensitive, legally protected data labeled protected health information (PHI), which requires certain security measures as defined by the Health Insurance Portability and Accountability Act (HIPAA). Mid-sized healthcare practices, those with 20-50 employees, face the difficult task of ensuring that all PHI is handled, transferred and stored properly. But how?

Healthcare and data security

As the digital age has progressed, much of this information has been transferred from paper to electronic records, ushering in new challenges to its privacy. The healthcare industry must meet these challenges. Data breaches open the door for criminal activity that affects thousands of people — sometimes many more than that.

In anticipation of these dangers, the federal government passed HIPAA. The original Act required covered entities — healthcare providers, insurance companies and information clearinghouses — to maintain privacy and security measures designed to protect PHI, including PHI stored electronically (ePHI). HIPAA made these entities subject to disciplinary actions if they failed to comply with its requirements. While punitive, HIPAA’s original disciplinary actions were more likely to affect a practice’s reputation than its bottom line.

HIPAA changed in 2009 under the Health Information Technology for Economic and Clinical Health Act (HITECH) and in 2013 under the Omnibus Rule, which updated and finalized HITECH’s provisions and altered HIPAA’s disciplinary scope. Now, noncompliance with HIPAA regulations can impose significant penalties.

Data security breaches

Data security breaches comprise one of the most common noncompliance issues. They can be difficult to detect. In a 2012 study of 80 large healthcare organizations conducted by the Ponemon Institute, a data security thinktank, 94 percent of respondents reported at least one data security breach within two years. But more than half (54 percent) had little to no confidence that they could detect all data loss.

This murky view of data security puts all healthcare organizations at risk, mid-sized practices included. Under the Omnibus Rule, covered entities who violate HIPAA are subject to significant penalties by federal and state governments and possibly prosecution.

HIPAA civil penalties

If your practice faces civil penalties, you will probably incur a Civil Money Penalty (CMP) — in other words, a fine. Current HIPAA regulations divide CMPs into four tiers based on:

• Whether the covered entity knew or should have known about the violation.

• Whether the violation occurred due to willful negligence.

• Whether it was corrected and in how timely a manner.

The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), conducts HIPAA investigations. If the OCR determines that a data breach was an accident, you’ll have thirty days to correct the error and face lower fines per violation. However, if they think that your practice could and should have prevented a breach, the thirtyday rule does not apply and you’ll be subject to the highest possible CMPs. A single violation can come with a price tag as high as $50,000, with an annual maximum fine per category of violation of $1.5 million. If you have violations of more than one provision of HIPAA, you can face significantly higher fines.

HIPAA criminal penalties

Criminal charges under HIPAA can be incurred by covered entities or by individuals. If you “knowingly” obtain or disclose PHI, you can face a fine of up to $50,000 and imprisonment for up to one year. If you commit a violation “under false pretenses,” or with the intent to sell or use PHI for your own advantage, you can face up to $250,000 in fines and up to 10 years in prison.

According to the Department of Justice (DOJ), “specific knowledge of an action being in violation of the HIPAA statute is not required” in order to “knowingly” obtain or disclose PHI. In other words, you could be prosecuted in criminal court under HIPAA even if you weren’t sure that you were violating the law.

Increasing violations As the digital landscape grows increasingly complicated, the government has become more vigilant in reviewing healthcare practices. In 2003, only 260 total HIPAA violators had to take “corrective action.” By 2013, the OCR required the same from 3,470 violators.4 And there’s reason to believe that number will keep growing.

Security challenges

Mid-sized practices face unique data security challenges. The Omnibus Rule applies disciplinary actions based on an organization’s reasonable ability to identify, prepare for and prevent potential threats. So mid-sized providers with CIOs and/or dedicated IT staff can be held to high security standards, even though their resources are more limited than larger practices’.

For instance, in December 2014, Anchorage Community Mental Health Services (ACMHS) “agreed to settle potential violations” of HIPAA with a $150,000 fine and an extensive “corrective action plan” for exposing the ePHI of more than 2,000 people. ACMHS was running old software with outdated patches, leaving the system vulnerable to malware. It’s a simple enough mistake — unless you’re a healthcare practice under HIPAA scrutiny and responsible for the security of ePHI affecting thousands of people.

What do mid-sized healthcare practices like ACMHS need to think about it in order to achieve better data security? Technology and resources.

Network security

Security in your office starts with your network — password-protecting every device. This, however, only offers a limited amount of protection.

To create a truly secure internal network, you need managed infrastructure — secured servers, routers and other technology. You also need enough IT personnel to train staff to use the system and troubleshoot errors. They also need to take care of maintenance issues like physically securing and regularly maintaining hardware, updating software with new security certificates and patches, and testing all systems. You also need to think about the biggest threat to your network security: mobile devices.

Mobile devices

Technological strides in communication have revolutionized the healthcare industry. Many practices now utilize bring-your-own-device (BYOD) policies. A surgeon can review an X-ray with a colleague from a tablet at the coffee shop. A secretary can take unfinished work home on a laptop.

But that doesn’t mean they should. As the Harvard Business Review notes, the two great enemies of data security are the convenience and collaboration new technology allows.6 Unsecured devices within your walls are of enormous concern; you can protect your network and lock down your servers, but at the end of the day you can do very little about that doctor’s personal iPad.

Even if you can ensure the safety of the data in your building, you can’t control what happens to it when it walks out your door. In the Ponemon Institute study previously mentioned, almost half (46 percent) of data breaches occurred through lost or stolen mobile devices.

EHRs and PACSs

Modern healthcare recording systems are fragmented. It seems as if each office and vendor has its own Electronic Health Record (EHR) system or Picture Archiving and Communication System (PACS). Transferring records among them can be impossible.

In order to comply with HIPAA security rules more easily, your staff may fall back on filesharing methods they know, like fax machines or CDs. These methods are antiquated, and no one has to be trained on how to use them.

However, they create a lot of work for staff. In this way, the digital age is a misnomer; it has increased, not lessened, paperwork in healthcare practices.

Limited resources

CA secure data environment takes time and money. Healthcare practices are often short on both. Creating a secure network means convincing your board of directors that you need the funds for pricey hardware and extra salaries. The process is also time-consuming; every time you onboard a new staff member, you must conduct a new training. Sometimes those resources simply aren’t available.

Running regular virus and malware scans also takes time. It’s easy for a full IT team to let something slip through the cracks, and even easier for a busy practice administrator who has limited IT help.

Healthcare practices may find it difficult to find solutions that provide the convenience and collaborative environment that practitioners desire, ease office staff burdens and support security regulations at the same time. That’s where Citrix comes in.

Simple, secure solutions

The Citrix ShareFile Cloud for Healthcare is a cloud-based file-sharing service designed specifically for the healthcare industry. It provides secure, simple transference and storage of large or sensitive files of all kinds, from database records to CAT scans or X-rays. The ShareFile Cloud for Healthcare helps you transfer ePHI both internally and externally while ensuring industry-leading security and saving your office staff time and money. So you can exchange files securely by email with imaging and surgical centers, referring physicians, patients and others — all in a way that supports your HIPAA compliance.

The Cloud for Healthcare differs from consumer file share services in that it supports your HIPAA compliance. Your information is stored in a multi-tenant enclave dedicated only to organizations subject to HIPAA. Once information is in the Cloud for Healthcare, your IT team can spend less time worrying about regulations and more time taking care of the day-to-day management of your systems. Secure, easy, fast features can solve your file-sharing problems.


The Cloud for Healthcare is a cloud-based service. Uploaded files are encrypted before being store on a cloud server, ensuring their protection. ShareFile employs industry-leading, 256-bit AES encryption, and transfers them through encrypted tunnels using Transport Layer Security (TLS). Per file encryption keys are stored on an entirely different server, so that anyone with physical access to a storage server still cannot decrypt the files.

Your providers have the protection they need on the devices they love with mobile apps. With ShareFile, on-the-go doesn’t mean unsafe. Files are encrypted in transit to your mobile device, and configurable features like remote wipe and automatic file deletion create more layers of safety.

ShareFile also allows you granular control of your file security protocols with custom reporting features. You can be notified when a file is downloaded or transferred, see who last accessed it and when, enable view-only access, restrict users to specific files or folders, enable version controls to track iterations of a document and use a host of other features that allow you full control over your data.


Enjoy the convenience of modern email instead of using faxes or couriers to share data. When you send a file through ShareFile, you’re using a secure link rather than an attachment. Additionally, you have the option of password protecting the link to protect the confidentiality of the content or of encrypting the entire email itself, so that all aspects of the communication are protected. ShareFile can handle large documents and media files up to 100 GB.

You can also stop trying to translate between all those EHRs. If you transfer files with an outside party regularly, just assign that end-user a password and a login. This process can save your office time and money; your staff won’t have to constantly fax documents or wait for couriers or mail, and you won’t have to pay for paper, hardware or courier services.

The ShareFile Plugin for Microsoft Outlook simplifies email further. You can encrypt email copy and send secure, password protected links and access your stored files without leaving Outlook, streamlining your workflow.


ShareFile’s two-way sync feature can sync files across all your devices instantly, ensuring that you’re always working from the correct version of a document. You can share files without having to download them or edit them directly from your device, saving valuable time.

How long does it take you to learn all those different EHR systems and try to translate between them? ShareFile’s familiar file-folder configuration is easy to learn. It’s just like rifling through a file cabinet — but much faster.

ShareFile doesn’t require complicated installation procedures or configuration processes, so you can get your entire office up to speed without time-consuming training.

In case you do run into a problem, a 24/7 customer care team is available to help. As you continue to train and onboard your staff, ShareFile is always there to save you time and ease their transition.

ShareFile: the healthy choice

The Citrix ShareFile Cloud for Healthcare is that rare product that can ease your workflow and your mind at the same time. To find out more about a secure, easy, fast file-sharing service that saves you money and supports your HIPAA compliance, call 1-800-441-3453 or email