HIPAA-Friendly File Transfer for Medical Files: What Healthcare Providers Actually Need
By Steven · Business Technology Contributor, Zapfile
HIPAA compliance for file transfer is an area where there's a lot of confident misinformation. Healthcare providers get sold expensive "HIPAA-compliant" tools that may not actually satisfy the requirements. Simultaneously, straightforward technical solutions get dismissed as "not HIPAA compliant" when they actually could be, with appropriate agreements in place. Let me walk through what HIPAA actually requires and how to apply it practically.
What HIPAA Actually Requires for Electronic File Transfer
HIPAA's Security Rule (45 CFR Part 164, Subpart C) governs electronic Protected Health Information (ePHI). The relevant requirements for file transfer:
§164.312(e)(1) — Transmission Security: "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."
The implementation specification under this standard includes encryption as "addressable" — meaning you must either implement it or document why it isn't reasonable and appropriate, and implement an equivalent alternative. In practice, not encrypting ePHI in transit is very difficult to justify. Encryption is functionally required.
§164.308(b)(1) — Business Associate Contracts: If you use a third-party service to transmit or store ePHI, that service must sign a Business Associate Agreement (BAA) with you. This is non-negotiable. A service that won't sign a BAA cannot be used for ePHI, regardless of its technical security.
The BAA Requirement: What It Means and Why It Matters
A Business Associate Agreement is a contract under which the vendor agrees to protect ePHI, use it only for the purposes outlined in the agreement, report breaches, and comply with HIPAA's requirements on their end.
Some major services sign BAAs. Google's Workspace (not personal Gmail — the enterprise product) offers a BAA. Microsoft 365 Business and Enterprise offer BAAs. Dropbox Business offers a BAA. These products, with BAAs in place, can be used for ePHI.
Services that don't offer BAAs cannot be used for ePHI, regardless of how secure they technically are. Consumer Gmail, personal Dropbox accounts, WhatsApp, and most consumer file transfer tools do not offer BAAs.
What about P2P tools like Zapfile? The BAA question here is specific: if the service never receives or stores ePHI (because files transfer directly peer-to-peer without transiting the service's servers), the BAA requirement may not apply in the same way, because the service may not technically be a "business associate" handling ePHI. This is a legal question that warrants specific counsel for your practice — I'm not giving legal advice here. The technical reality is that P2P transfer minimizes the third-party exposure question precisely because no third party receives the data.
Common Tools and Their HIPAA Status
| Tool | BAA Available | Encrypted Transit | Notes |
|---|---|---|---|
| Google Workspace (paid) | Yes | Yes (TLS) | Acceptable with BAA signed |
| Microsoft 365 Business/Enterprise | Yes | Yes | Acceptable with BAA signed |
| Dropbox Business | Yes | Yes | Acceptable with BAA signed |
| Tresorit | Yes | Yes (E2E) | Strong choice; E2E encryption |
| Consumer Gmail / Google Drive | No | Yes (TLS) | Not acceptable for ePHI |
| No | Yes (E2E) | Not acceptable for ePHI | |
| Zapfile (P2P) | Consult counsel | Yes (DTLS) | No server ePHI storage; BAA question depends on BA definition |
Common Mistakes in Healthcare File Transfer
Using Personal Accounts for Work
Providers using personal Gmail or personal Dropbox accounts (not enterprise versions with BAAs) for patient documents are out of compliance regardless of how careful they are otherwise. The BAA is the line, not the encryption. Get your practice on Google Workspace or Microsoft 365 with the BAA signed.
Texting Patient Documents
Standard SMS is unencrypted and does not satisfy HIPAA transmission security requirements. WhatsApp has E2E encryption but no BAA available. Neither is acceptable for ePHI. Secure messaging platforms designed for healthcare (TigerConnect, Imprivata Cortext) provide HIPAA-compliant messaging including file transfer.
Fax as a "Safe" Default
Paper fax to fax machine (physical fax) is generally considered outside HIPAA's electronic requirements and remains in wide use in healthcare. However, electronic fax services (eFax, RingCentral Fax) create electronic ePHI — those services need BAAs too. Many healthcare providers don't realize their digital fax service requires a BAA.
Patient Portal Links vs. Direct Transfer
Sending patients their own records via email attachment, even from a HIPAA-compliant email system, creates a copy that the patient controls with no ability to revoke or audit further access. Patient portals (built into most EHR systems) are better: the patient downloads from your controlled environment, there's an audit trail, and you can see when it was accessed.
Building a Compliant Transfer Workflow
For most small-to-medium healthcare practices, a compliant baseline looks like:
- Enterprise email (Google Workspace or Microsoft 365) with BAA signed — for routine communications
- EHR patient portal — for sending patient records to patients
- Secure messaging platform with BAA — for internal team communication and file sharing
- Dedicated secure file transfer service with BAA (Tresorit, ShareFile) — for sending large files to other providers or specialists
The BAA is the non-negotiable. Everything else is configurable. If you're uncertain whether a tool you're using is appropriate for ePHI, start by asking the vendor: "Will you sign a Business Associate Agreement?" If the answer is no, the tool is not appropriate for patient data, regardless of its technical security features.
Tags