HIPAA Compliance

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA applies to covered entities and their business associates as defined by the law.

What Is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act is a piece of U.S. legislation that was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The primary goals of the HITECH Act are to promote and expand the adoption of health information technology, specifically the use of electronic health records (EHRs) by healthcare providers.

What Is the HIPAA Omnibus Final Rule?

The HIPAA Omnibus Final Rule is a significant set of regulations that modified various aspects of the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, the Privacy, Security, and Breach Notification Rules. This rule was issued by the U.S. Department of Health and Human Services (HHS) and became effective on March 26, 2013, with a compliance deadline for most provisions by September 23, 2013.

What Is a Covered Entity?

Under the Health Insurance Portability and Accountability Act (HIPAA), a "covered entity" is defined as any individual, organization, or agency that meets the following criteria:
  • Healthcare Providers
  • Health Plans
  • Healthcare Clearinghouses
  • What Is a Business Associate?

    A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A business associate also is a subcontractor who creates, receives, maintains, or transmits protected health information on behalf of another business associate. In the context of our services, SFTPCloud would be a business associate of any customer who is a covered entity and enters into a BAA with SFTPCloud.


    SFTPCloud conducts an annual security risk assessment and continuous risk analysis to ensure compliance with evolving security requirements and threats. In commitment to HIPAA compliance, SFTPCloud will sign a BAA for customers on any plan, recommending those with features matching specific security needs.
    Data Location When creating an SFTP server, choose your preferred data hosting region. You can also connect your storage. American-covered entities should select the United States region (us-east-1).
    PHI Data Protection During transmission, all communications are secured with AES-256-bit encryption through HTTPS, SFTP, and FTPS protocols. At rest, when using the SFTPCloud storage, files are encrypted using AES-256.
    Privacy and Intrusion Protection
  • File access audit logs are always available in the dashboard
  • Only essential ports for SFTP, FTP, and HTTPS are accessible
  • You can enable multi-factor authentication for all web-access administrators.
  • SFTP and FTP enforce strong, complex default passwords
  • Inbound network rules can be used for creating IP allow/block lists