Hightail is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Hightail will not sign a HIPAA Business Associate Agreement for handling electronic protected health information and the service is not offered as a HIPAA-eligible platform for regulated healthcare workflows.
HIPAA requires a written HIPAA Business Associate Agreement when a vendor creates, receives, maintains, or transmits protected health information on behalf of a Covered Entity or another Business Associate. The agreement must address permitted uses and disclosures, safeguards for electronic protected health information under the HIPAA Security Rule, reporting of breaches of unsecured protected health information under the HIPAA Breach Notification Rule, and subcontractor restrictions. Without a HIPAA Business Associate Agreement that covers the service in scope, a Covered Entity or Business Associate cannot use the service to store or transmit protected health information.
Hightail’s own support documentation distinguishes its status from regulated healthcare entities. Hightail states, “Hightail, by the nature of its business, is not subject to HIPAA compliance.” A vendor statement about not being subject to HIPAA does not establish that the service can be used by regulated healthcare organizations for protected health information. HIPAA obligations apply to Covered Entities and Business Associates, and a vendor that handles protected health information for them must be under contract as a business associate.
File sharing and content delivery platforms can handle protected health information through uploaded files, filenames, embedded metadata, collaboration comments, access invitations, user activity logs, notifications, and audit exports. Protected health information can exist in clinical documents, referral packets, imaging files, billing documents, and scheduling materials. Exposure risk increases when content is shared through email notifications or links that are forwarded or accessed outside authorized user controls.
Hightail can be used by healthcare organizations only for data and workflows that do not include protected health information and do not link identifiable individuals to treatment, payment, or healthcare operations. When a workflow requires protected health information, select a vendor that will execute a HIPAA Business Associate Agreement for the service and supports access controls, audit controls, transmission security, retention controls, and incident response procedures aligned with HIPAA requirements.