Question: Our staffers want to use file transfer protocol (FTP) to send patients' confidential information back to the office when they're working from home. Can we do this without violating the privacy or security rules?
- Alaska subscriber
Answer: "Yes," says security specialist Ali Pabrai, CEO and co-founder of HIPAA Academy.net in Chicago. But, that doesn't mean it's a safe practice, he warns.
FTP is a widely used method of moving files from one system to another over the Internet, but it is loaded with security risks, Pabrai asserts. "Information sent via FTP is sent in clear text - anyone can read it," whether the file is in transit or at rest, he explains.
Better idea: If your staff needs to send information back to the office, instruct them to use encrypted e-mail instead. And if you cannot afford to equip each workstation with encryption, make staffers save their work to a portable disk, he suggests. That way, you can control who sees the information and how it is disposed.
The Bottom Line: Though FTP is not banned by either the privacy or security rules, you can't just send your patients' PHI into the world without protection, Pabrai declares. Next step: Work with your tech team to develop a policy on how PHI can be transmitted from home, he offers.