HIPAA and OCR Compliance

by | Mar 8, 2021

If the MFT’s A-Rockin’, the Office for Civil Rights Won’t Come A-Knockin’

Any notion that the Office for Civil Rights (OCR) has decreased their enforcement of the Health Insurance Portability and Accountability Act (HIPAA) during the past couple of years couldn’t be further from the truth. On the contrary, according to Beazley Breach Response Services, the average payment for noncompliance penalties rose from $1.9 million in 2017 to $2.6 million in 2018. Not only has the average payment for noncompliance penalties increased, but so has the duration of OCR investigations. Investigations for Resolution Agreements issued in 2018 were found to take three to seven years to complete, partly due to the OCR’s increase in scrutiny towards more minor breaches to identify patterns of non-compliant behavior.

These trends make it clear that the ORC’s emphasis on the importance of secure management of electronic health records and other protected health information (PHI) is increasing. That’s concerning news, but there are simple, cost-effective ways to come into compliance with HIPAA where secure file transfer is involved. Secure, managed file transfer platforms like Coviant’s Diplomat MFT support security requirements under HIPAA standards while also creating a detailed audit trail that confirms security requirements such as encryption, authentication, access control, and monitoring.

Encryption & Authentication

Coviant enables its users to meet HIPAA requirements of unique user identification and encryption/decryption through PGP or OpenPGP keys’ easy use. Secure file transfer is achieved through the use of PGP keys that encrypt files containing electronic health records (ePHI) and electronically verify the identity of the user through the following process:

Outbound to Trading Partner

This unique and private PGP key verifies the file’s sender’s authenticity by providing a non-repudiable digital signature. This simple process can also be integrated in a completely automated file transfer process to create an even more streamlined managed file transfer component of your file management program.

Access Control & Monitoring

Aside from PGP keys, users can also be authenticated automatically by entering their Diplomat username and password. Diplomat meets HIPAA requirements for access control and monitoring by allowing customization of user privileges, such as password policies and session expiration limits. User connections are then monitored through an administrative dashboard. The administrative side of Diplomat MFT doesn’t just stop there. File transfer job history and any current file transfer jobs are readily visible to users, along with the following:

  • Log entries
  • Scheduling status of all transactions
  • Ability to execute a new job for a specific Diplomat MFT transaction
  • Allows users to hit the “undo” button by terminating currently executing jobs.

It is of paramount importance that users control their files if something goes wrong, especially when patient information is at risk. That’s why, with one click, Diplomat MFT allows users to suspend automated file transfers until a detected issue or error is resolved. Technical problems are no sweat with Diplomat, either, since they are spotted right away with real-time visibility of all secure file transfer jobs. Any transient issues are automatically corrected by the software’s self-troubleshooting feature and failed transfers are automatically re-attempted. Notification of any failure is quickly sent to the user with detailed diagnostic data if any more significant issues occur. With these features, it’s no surprise when Coviant’s healthcare customers say the following:

“Diplomat Enterprise Edition is our corporate standard for managed file transfer. Diplomat’s central console lets us control all secure inbound and outbound file transfers from one location.”

— Mark Luquire, CHRISTUS Health

Coviant can also secure any outbound automated file transfers because Diplomat MFT or  Diplomat Remote Agent can be deployed at your business partner’s site as well. Thus, separate solutions for PGP encryption and secure file transfer are not required. Our customers don’t need to run the risk of possibly having outbound ePHI files reside outside the firewall on transport servers, such as FTP, web, or email servers, since Diplomat MFT can manage file transfers in both directions.

Coviant prides itself on Diplomat MFT’s ease-of-use. While other managed file transfer platforms can overwhelm users by having too many modification points, increasing the risk for human error, Coviant has engineered Diplomat MFT to meet your needs with minimal customization— out of the box.


Many managed file transfer solutions support secure file transfer in compliance with HIPAA regulations, but we think Diplomat MFT is the best option out there. It delivers everything you need to securely manage and automate your sensitive file transfers at a value and ease-of-use that is hard to beat. Diplomat MFT does more than simply help you stay in compliance with HIPAA; it can work within your unique business processes to support cost-savings and efficient operations in every aspect of your mission that requires simple, secure file transfers.

Don’t take our word for it. Listen to what your peers say about us, and then Try Diplomat Managed File Transfer for free. Once you do, you can stop worrying about the Office for Civil Rights knocking at your door. At least, as far as your file transfers are concerned.


Request your Free Trial

  • To find out what personal data we collect and how it's used, please take a look at our Privacy Policy