Secure File Sharing for Healthcare: HIPAA Compliance


A nurse at a rural clinic emails a patient's consultation report to a specialist 40 miles away. No password, no expiry, no thought about who else might receive it. Two weeks later, the clinic receives an HHS notification. That single email—sent in 10 seconds—triggers a compliance review that takes months.
Most HIPAA violations in file sharing don't come from sophisticated attacks. They come from staff using convenient tools that weren't designed for protected health information.
HIPAA's Security Rule focuses on three types of safeguards: administrative, physical, and technical. When it comes to sharing files containing PHI, the technical requirements are the most directly relevant:
The key phrase throughout the Security Rule is "reasonable and appropriate." There's no single approved tool or process—the standard is scaled to your organization's size, resources, and the sensitivity of the data involved.
PHI isn't just medical records with a full name attached. Under HIPAA, 18 categories of identifiers make data "protected," including dates (birth, admission, discharge), geographic data, and account or record numbers. A consultation summary with a patient's initials and date of birth is PHI. X-ray filenames that include the MRN are PHI. Even metadata on a document can be PHI if it contains identifying information.
Before sharing any file, the question to ask is: could someone with this file—and reasonable access to other information—identify the patient? If yes, treat it as PHI.
This is also why stripping metadata before sharing matters. A Word document carries author name, company, and revision history in its file properties. An image exported from a PACS system may carry DICOM metadata that includes the patient's full name. Sending a "de-identified" file that still contains 15 identifying fields in its metadata isn't de-identified at all.
Regular email is the most common violation vector—and the most avoidable. The problem isn't just interception risk. It's that email creates permanent, hard-to-control copies. An attachment sent to a specialist's Gmail address now lives in Google's servers, in the specialist's inbox, possibly in their "Sent Items," and in any backup service either party uses. Unencrypted email attachments are simply not appropriate for PHI, regardless of how convenient they are.
Consumer cloud storage has similar problems. Free-tier Dropbox, Google Drive personal accounts, and similar services weren't built with HIPAA in mind, don't provide Business Associate Agreements (BAAs), and often lack the time-limited access controls that compliance requires.
What you need instead is a sharing method that:

This five-step workflow applies to most clinical file transfers—referrals, specialist consultations, patient records requests:
Step 1: Identify and minimize
Does the file contain PHI? Is every piece of that PHI necessary? A referral to an orthopedic surgeon probably doesn't require the patient's psychiatric history. Strip unnecessary information before it leaves your system.
Step 2: Strip metadata
Use your document editor's inspection tool to remove author, company, tracked changes, and comments. In Word: File → Info → Check for Issues → Inspect Document. For images, re-export from your viewer rather than sharing the original DICOM or TIFF with embedded metadata.
Step 3: Use controlled, expiring links
Upload the file to a sharing platform that supports password protection, automatic expiry, and download limits. Set a short window—24 to 48 hours is appropriate for most referrals. This is directly analogous to what the how healthcare providers share medical imaging workflow uses for DICOM file transfers.
Step 4: Separate the link from the password
Send the download link via one channel (your EHR messaging, email, or secure messaging app) and the access password via a separate channel—typically a phone call or SMS. If one channel is compromised, the file remains inaccessible without both.
Step 5: Document the transfer
Keep a brief log: what was sent, to whom, when, and via which platform. This doesn't have to be elaborate. A simple entry in a shared spreadsheet or your EHR's notes field is enough for most smaller practices to demonstrate compliance during an audit.
A Business Associate Agreement is a contract between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on their behalf. If a vendor touches your PHI—even in transit—HIPAA requires a BAA.
Not every file sharing tool will sign one. Many general-purpose services explicitly refuse. If a vendor declines to provide a BAA, using their service for PHI is a compliance risk you shouldn't take.
Worth noting: the BAA requirement applies to your workflow decisions, not just the tools themselves. Using an encrypted, expiring link to deliver a password-protected ZIP file is a different situation from uploading raw PHI to an uncontrolled cloud folder and sharing the link indefinitely.
For practices exploring this area, GDPR compliance guidance for file sharing covers overlapping themes around data minimization and retention limits—useful context even if your regulatory focus is HIPAA rather than GDPR.
Specialist referrals: Send the referring summary + relevant records. Set a 48-hour expiry. Use a strong one-time password. Confirm receipt via a follow-up call.
Patient records requests: Patients have a right under HIPAA to their own records within 30 days of request (15 days with an extension). Delivering via an expiring download link is acceptable. Set the window to 72 hours and notify them proactively when it expires.
Emergency handoffs: Even in urgent situations, HIPAA applies. Have a pre-configured workflow for emergency transfers rather than defaulting to plain email under pressure. A compliant transfer can still be fast.
Research and quality improvement sharing: PHI used for research generally requires either patient authorization or proper de-identification (Safe Harbor or Expert Determination method). If you're relying on de-identification, verify it carefully—removing 15 of the 18 HIPAA identifiers and leaving 3 doesn't meet the standard.
HIPAA penalties run from $100 per violation (unknowing) to $50,000 per violation (willful neglect), with annual maximums of $1.5 million per violation category. The Office for Civil Rights has levied multi-million dollar settlements over incidents as specific as unencrypted email, misconfigured server access, and insufficient employee training.
Beyond fines, the downstream costs are often worse: mandatory corrective action plans, external audits, and reputational damage with patients who chose your practice specifically because they trusted you with sensitive information.
The most common path to a HIPAA file sharing violation isn't a technical failure. It's a staff member who didn't know the procedure, was under time pressure, and defaulted to regular email.
Training doesn't require an annual 4-hour seminar. Effective prevention looks like:
The best practices for sharing confidential documents framework applies directly here, especially around access controls and file preparation.
If your practice needs a fast way to send PHI to specialists or patients without relying on plain email, Comfyfile supports the core technical controls: password protection, automatic link expiry, and download limits per share. Upload the file, set a 24-hour expiry, restrict downloads to 1–2, and deliver the password over a separate channel. Comfyfile is not a covered entity and does not provide Business Associate Agreements—it works best as a supplementary transfer tool within a broader compliance workflow your practice controls.
Share this article
Experience password protection, auto-expiry, and download limits with Comfyfile
Start Sharing Free