HIPAA-Friendly File Transfer for Medical Files: What Healthcare Providers Actually Need
HIPAA compliance for file transfer is an area where there's a lot of confident misinformation. Healthcare providers get sold expensive "HIPAA-compliant" tools that may not actually satisfy the requirements. Simultaneously, straightforward technical solutions get dismissed as "not HIPAA compliant" when they actually could be, with appropriate agreements in place. Let me walk through what HIPAA actually requires and how to apply it practically.
Also readShare Sensitive Documents Online Securely →What HIPAA Actually Requires for Electronic File Transfer
HIPAA's Security Rule (45 CFR Part 164, Subpart C) governs electronic Protected Health Information (ePHI). The relevant requirements for file transfer:
§164.312(e)(1) — Transmission Security: "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."
The implementation specification under this standard includes encryption as "addressable" — meaning you must either implement it or document why it isn't reasonable and appropriate, and implement an equivalent alternative. In practice, not encrypting ePHI in transit is very difficult to justify. Encryption is functionally required.
§164.308(b)(1) — Business Associate Contracts: If you use a third-party service to transmit or store ePHI, that service must sign a Business Associate Agreement (BAA) with you. This is non-negotiable. A service that won't sign a BAA cannot be used for ePHI, regardless of its technical security.
The BAA Requirement: What It Means and Why It Matters
A Business Associate Agreement is a contract under which the vendor agrees to protect ePHI, use it only for the purposes outlined in the agreement, report breaches, and comply with HIPAA's requirements on their end.
Some major services sign BAAs. Google's Workspace (not personal Gmail — the enterprise product) offers a BAA. Microsoft 365 Business and Enterprise offer BAAs. Dropbox Business offers a BAA. These products, with BAAs in place, can be used for ePHI.
Services that don't offer BAAs cannot be used for ePHI, regardless of how secure they technically are. Consumer Gmail, personal Dropbox accounts, WhatsApp, and most consumer file transfer tools do not offer BAAs.
Related guideSecure File Transfer Between Devices: Complete Guide→What about auto-delete tools like Zapfile? The BAA question here is specific: files are temporarily staged on Cloudflare R2 (encrypted in transit via TLS, at rest via AES-256) and permanently deleted the moment the recipient downloads them. The BAA requirement and whether Zapfile qualifies as a "business associate" handling ePHI is a legal question that warrants specific counsel for your practice — I'm not giving legal advice here. The technical reality is that auto-deletion after transfer minimizes the window during which ePHI is held by a third party.
Common Tools and Their HIPAA Status
| Tool | BAA Available | Encrypted Transit | Notes |
|---|---|---|---|
| Google Workspace (paid) | Yes | Yes (TLS) | Acceptable with BAA signed |
| Microsoft 365 Business/Enterprise | Yes | Yes | Acceptable with BAA signed |
| Dropbox Business | Yes | Yes | Acceptable with BAA signed |
| Tresorit | Yes | Yes (E2E) | Strong choice; E2E encryption |
| Consumer Gmail / Google Drive | No | Yes (TLS) | Not acceptable for ePHI |
| No | Yes (E2E) | Not acceptable for ePHI | |
| Zapfile (auto-delete) | Consult counsel | Yes (TLS + AES-256) | File deleted after download; BAA question depends on BA definition |
Common Mistakes in Healthcare File Transfer
Using Personal Accounts for Work
Providers using personal Gmail or personal Dropbox accounts (not enterprise versions with BAAs) for patient documents are out of compliance regardless of how careful they are otherwise. The BAA is the line, not the encryption. Get your practice on Google Workspace or Microsoft 365 with the BAA signed.
Texting Patient Documents
Standard SMS is unencrypted and does not satisfy HIPAA transmission security requirements. WhatsApp has E2E encryption but no BAA available. Neither is acceptable for ePHI. Secure messaging platforms designed for healthcare (TigerConnect, Imprivata Cortext) provide HIPAA-compliant messaging including file transfer.
Fax as a "Safe" Default
Paper fax to fax machine (physical fax) is generally considered outside HIPAA's electronic requirements and remains in wide use in healthcare. However, electronic fax services (eFax, RingCentral Fax) create electronic ePHI — those services need BAAs too. Many healthcare providers don't realize their digital fax service requires a BAA.
Patient Portal Links vs. Direct Transfer
Sending patients their own records via email attachment, even from a HIPAA-compliant email system, creates a copy that the patient controls with no ability to revoke or audit further access. Patient portals (built into most EHR systems) are better: the patient downloads from your controlled environment, there's an audit trail, and you can see when it was accessed.
Building a Compliant Transfer Workflow
For most small-to-medium healthcare practices, a compliant baseline looks like:
- Enterprise email (Google Workspace or Microsoft 365) with BAA signed — for routine communications
- EHR patient portal — for sending patient records to patients
- Secure messaging platform with BAA — for internal team communication and file sharing
- Dedicated secure file transfer service with BAA (Tresorit, ShareFile) — for sending large files to other providers or specialists
The BAA is the non-negotiable. Everything else is configurable. If you're uncertain whether a tool you're using is appropriate for ePHI, start by asking the vendor: "Will you sign a Business Associate Agreement?" If the answer is no, the tool is not appropriate for patient data, regardless of its technical security features.
Tags
Tanuja Chinthati is the Content and Marketing Lead at ZapFile, based in Ontario, Canada. With a background in Electronics and Communication Engineering, she writes about privacy-first file sharing, secure data transfer, and digital privacy — making complex security concepts accessible to everyday users.
View all articles →