Breadcrumbs

Guide to HIPAA Rules in the Compliance Center

This table defines the HIPAA rules covered in FileCloud's Compliance Center, explains what steps you must take to be in compliance, and describes how FileCloud validates each rule.

Rule (click to see text)

Description

Steps for complying

Validation

164.304 Definitions

Identify which files have electronically protected health information (ePHI).

In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies ePHI files.

(To carry out compliance, you must use smart classification to apply the metadata tag to ePHI files.)

If the metadata set exists and is enabled, status is OK; if not, status is Issues.

164.306 Security standards: General rules

Allow at least one user access to the Compliance system.

To enable at least one user to manage the Compliance Center:

  1. Go to Admins and create a role with Compliance access to the Compliance Center.

  2. In Admins, add at least one user to the role with access to the Compliance Center.

If one or more Admin users have access to the Compliance Center, status is OK; if not, status is Issues.

164.308 Administrative safeguards.
(a)(1)(ii)(A & B)

Confirm that all the FileCloud Compliance HIPAA rules are successful.

Enable this rule once all the other HIPAA rules are compliant.

If all rules are implemented and status of all rules is OK then the status of this rule OK; if not, status is Issues.

164.308 Administrative safeguards.
(a)(1)(ii)(D)

Implement a procedure to regularly review system activity records.

In Settings > Admin, enable Send daily governance report to admin.

If the Send daily governance report to admin setting is enabled, status is OK; if not, status is Issues.

164.308 Administrative safeguards.(a)(3)(ii)(A)

Allow users to login to access FileCloud content based on location or IP address.

Click the Edit button and select a DLP rule that blocks users from logging in from outside locations.

If the DLP rule exists and is enabled and GeoIP is not disabled, status is OK; otherwise, status is Issues.

164.308 Administrative safeguards.(a)(5)(ii)(B)

Configure antivirus protection against malicious file uploads.

  1. Go to Settings > Third Party Integration > Antivirus.

  2. Configure an Antivirus.

If an Antivirus is configured, status is OK; if not, status is Issues.

164.308 Administrative safeguards.(a)(5)(ii)(C)

Monitor log-in attempts.

  1. Go to Settings > Admin.

  2. Set Audit Log Level to REQUEST or FULL.

If Audit Log Level is REQUEST or FULL status is OK; if Audit Log Level is OFF, status is Issues.

164.308 Administrative safeguards.(a)(5)(ii)(D)

Set up password management procedures.

  1. Go to Settings > Misc > Password.

  2. Configure the settings as follows:

    • Set Minimum password length to 8 or more.

    • Enable Enable strong passwords.

    • Enable Disallow commonly used passwords.

    • Set User password expiration in days to a value greater than 0.

    • Set Number of previous passwords that cannot be reused to a value greater than 0.

    • Set Reset password attempt interval to a value greater than 0.

If the password settings are configured as indicated, status is OK; if not, status is Issues.

164.308 Administrative safeguards.(a)(6)(ii)

Confirm all (HIPAA) violations can be exported from the Compliance Center.

Enable this rule as confirmation that all FileCloud Compliance HIPAA violations can be exported. 

None

164.308 Administrative safeguards.(a)(7)(i)

Implement a contingency plan in case systems containing ePHI are damaged.

Enable this rule as confirmation that you have done the following:

  1. Go to Settings > Misc > General.

  2. Disable Database backup interval option should be disabled (by default it is disabled).

  3. Set Database backup interval to daily.

  4. Backup of the managed storage location should be planned and maintained by your team.

None

164.308 Administrative safeguards.(a)(7)(ii)(B)

Establish procedures to restore loss of data.

Enable this rule as confirmation that admins understand the procedures to restore data given at Backing Up and Restoring FileCloud Server.

None

164.308 Administrative safeguards.(a)(7)(ii)(C)

Establish an emergency mode operation plan.

Enable this rule as confirmation that admins understand that they can configure a firewall proxy rule to prevent access to FileCloud to protect ePHI.

None

164.312 Technical safeguards.(a)(1)

Implement policies and procedures to only allow access to ePHI to people and programs with access rights.

To prevent data from being shared with unauthorized users:

  1. For each policy, go to Settings > Policies and click the General tab. Set Share Mode to either Allow Private Shares Only or Shares Not Allowed.

  2. Remove any existing public shares, or change them to private.

If Share Mode is Allow All Shares or any public shares exist, status is Issues.

164.312 Technical safeguards.(a)(2)(i)

Assign a unique name and/or number to each user.

Enable this rule as a confirmation that all users have unique usernames.

None

164.312 Technical safeguards.(a)(2)(iii)

Terminate sessions after a certain amount of time automatically.

To confirm automatic logoff of sessions:

  • Go to Settings > Server, and set Session Timeout to a value greater than 0.

If Session Timeout is set to 0 or empty, status is Issues.

164.312 Technical safeguards.(a)(2)(iv)

Implement encryption and decryption of ePHI.

To set up ePHI encryption:

  1. Configure storage encryption. See Setting Up Managed Storage Encryption.

  2. Go to Settings > Storage > Managed Storage and click Manage next to Encryption; then enable encryption.

  3. Encrypt all existing files.

If storage is not fully encrypted, or any existing files are not fully encrypted, status is Issues.

164.312 Technical safeguards.(b)

Set up audit controls.

To implement audit controls:

  • Go to Settings > Admin, and configure the following:

    • Audit Log Level - Set to to REQUEST or FULL.

    • Auto Archive Audit Database - Enable.

    • Auto Archive Records Frequency (in days) - Enter a value.

    • Storage Path For Archived Audit Records - Enter a valid path.

If any of the audit settings is not set as specified, status is Issues.

164.312 Technical safeguards.(c)(1)

Protect ePHI files from destruction.

To protect ePHI files and folders from deletion:

  • Click the Edit button, and select a retention policy to protect ePHI files and folders from deletion based on metadata.

If the retention policy exists and is enabled, status is OK; if not, or if modifications to the retention policy allow file or folder deletion, status is Issues.

164.312 Technical safeguards.(d)

Verify user identity of people seeking access to ePHI.

To confirm that all users have individual FileCloud user accounts, enable this rule. 

None

164.312 Technical safeguards.(e)(1)

Guard against unauthorized access of ePHI that is being transmitted.

To guard against unauthorized access to ePHI:

  1. Click the Edit button, and select a DLP rule that blocks public shares.

  2. Change any existing public shares to private.

If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.

164.312 Technical safeguards.(e)(2)(i)

Ensure that transmitted ePHI is not modified.

To confirm that users are educated about sharing permissions and folder level permissions, enable this rule.

None

164.316 Policies and procedures and documentation requirements.(b)(2)(i)

Retain files for 6 years.

To retain files for 6 years:

  • Click the Edit button, and select a retention policy to retain files for 6 years based on metadata.
    (The selected retention policy must have it's expiry set to 2192 days (6 years with 2 leap years) and must not renew on expiry.)

If the retention policy exists and is enabled, status is OK; if not, status is Issues.

164.316 Policies and procedures and documentation requirements.(b)(2)(ii)

Make documentation available and accessible.

To confirm that Admins and users have access to support documentation for all features, enable this rule.

None

164.316 Policies and procedures and documentation requirements.(b)(2)(iii)

Maintain updated documentation.

To ensure the system is at the latest version, go to Upgrade screen in Admin and ensure there are no upgrades available

If the system is not upgraded to the latest available version, then status is Issues.

164.404 Notification to individuals. (b)

Create timely notifications in case of breaches.

To confirm that admins can use Audit logs, Alerts and Violation reports to generate breach notifications, enable this rule. 

None

164.502 Uses and disclosures of protected health information: General rules.(a)(1)

Allow users to use and disclose ePHI according to regulations.

To prevent data from being shared with non-associates without proper permission:

  1. Go to Settings > Policies, and edit each policy.

    1. On the General tab, set Share Mode to either Allow Private Shares Only or Shares Not Allowed.

    2. Remove any existing public shares or change them to private.

If Share Mode is Allow All Shares or any public shares exist, status is Issues.

164.504 Uses and disclosures: Organizational requirements.(e)(1)

Business associates must comply with standards.

To confirm that users who have access to ePHI are educated about sharing permissions, enable this rule. 

None

164.504 Uses and disclosures: Organizational requirements.(e)(2)(ii)(J)

At the termination of a contract, all info shared with business associate should be destroyed or returned.

To confirm return or destruction of ePHI at the termination of contracts:

  • Go to Settings > Misc > Share and configure these settings:

    • Remove Expired Shares - enable.

    • Delete Files from Expired Shares - enable.

If all the settings are as specified, status is OK; if not, status is Issues.

164.508 Uses and disclosures for which an authorization is required.(a)

Uses of ePHI requiring authorization.

To implement authorization for use and disclosures of ePHI:

  • Click the Edit button, and select a DLP rule that restricts sharing.

If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.

164.522 Rights to request privacy protection for protected health information. (a)(1)

Right of individual to request restriction of disclosure of their ePHI.

To implement the right of an individual to request restriction of uses and disclosures of ePHI:

  1. Go to Settings > Misc > General.

  2. If Disable Locking is enabled, disable it, and save.

If Disable Locking is unchecked, status is OK; if not, status is Issues.

164.528 Accounting of disclosures of protected health information.

Right of an individual to receive records of disclosures of PHI.

To confirm that admins understand how to use audit logs and reports to generate an account of disclosures of protected health information, enable this rule.

None