eFileCabinet can be used in a HIPAA-compliant manner for storing or sharing electronic protected health information when the organization implements the available security, access, and audit controls, configures them correctly, and signs a Business Associate Agreement with eFileCabinet before using the platform for that purpose.
eFileCabinet is a document management and storage solution that offers on-site and cloud storage and is used to centralize electronic documents. In healthcare operations, a document management system is used to store documents containing electronic protected health information in a controlled repository, support controlled access by workforce members, and reduce the use of ad hoc storage locations that increase disclosure and integrity risks.
The platform includes encryption of data in transit and at rest using 256-bit encryption. Files containing sensitive information can be shared with third parties and remote employees using the SecureDrawer feature. SecureDrawer is designed to allow documents to be shared without sending files beyond the protection of the firewall, with documents remaining in the eFileCabinet system and accessed through a secure, encrypted portal.
Access controls include user and role-based permissions that limit access to sensitive information and restrict permitted actions for users and groups when working with documents containing electronic protected health information. Authentication controls can be configured with different approaches, ranging from passwords to voice prints and facial recognition. Users are automatically logged off after a period of inactivity.
Integrity and accountability functions include automated file retention intended to satisfy integrity control requirements, routine data backups, and an audit trail. Audit records are maintained for user access and user activity, including whether documents have been copied or downloaded. These functions support monitoring and investigation of access events and document handling within the system.
Security and privacy features do not, by themselves, make a service HIPAA compliant for a HIPAA Covered Entity or Business Associate. A Business Associate Agreement is required when eFileCabinet creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity or Business Associate. eFileCabinet is prepared to sign a Business Associate Agreement with HIPAA Covered Entities and their Business Associates. The covered entity remains responsible for configuring the controls made available through eFileCabinet to support HIPAA compliance. Failure to set access controls appropriately can result in impermissible access to electronic protected health information.