Compliance
HIPAA Compliance at FileShot
FileShot is built on a zero-knowledge architecture that exceeds the encryption requirements of the HIPAA Security Rule. We offer Business Associate Agreements for healthcare organizations on our Professional plan.
Why zero-knowledge matters for HIPAA
Under HIPAA's Breach Notification Rule (45 CFR 164.402), encrypted data that meets NIST standards is excluded from breach notification requirements — provided the encryption key was not compromised. FileShot's architecture satisfies this standard by design.
Client-side encryption
Files are encrypted with AES-256-GCM in the browser using the Web Crypto API before any data is transmitted. The server receives and stores only ciphertext.
Keys never reach the server
The decryption key exists only in the URL fragment (the part after #). URL fragments are never sent to the server by any browser. FileShot cannot decrypt your files because it never possesses the key.
Breach-safe by architecture
Even if the storage server were compromised, an attacker would obtain only encrypted ciphertext — indistinguishable from random data without the key. Under HIPAA, this does not constitute a reportable breach of unsecured PHI.
NIST-approved cryptography
AES-256-GCM is approved by NIST (SP 800-38D) and listed in the HHS Guidance on encryption methods that render ePHI unusable, unreadable, or indecipherable to unauthorized individuals.
HIPAA Security Rule — Technical Safeguards
The following table maps HIPAA Security Rule requirements (45 CFR 164.312) to FileShot's implementation.
| Requirement | CFR Reference | FileShot Implementation |
|---|---|---|
| Access Control | 164.312(a)(1) | Authenticated uploads via user accounts. Downloads require the unique encrypted link plus optional password. Links can be set to expire or limit download count. |
| Unique User Identification | 164.312(a)(2)(i) | Each registered user has a unique account ID. Upload and download actions are attributed to authenticated users. |
| Automatic Logoff | 164.312(a)(2)(iii) | Sessions expire automatically. Inactive sessions are terminated server-side. |
| Encryption & Decryption | 164.312(a)(2)(iv) | AES-256-GCM client-side encryption. Server stores only ciphertext. Key exists only in URL fragment, never transmitted to server. |
| Audit Controls | 164.312(b) | Professional plan includes audit logging: uploads, downloads, deletions, and authentication events are recorded with timestamps. Logs retained for 6 years per HIPAA requirements. |
| Integrity Controls | 164.312(c)(1) | GCM mode provides authenticated encryption — any modification to the ciphertext is detected during decryption and the file is rejected. Tampering is cryptographically impossible without the key. |
| Person or Entity Authentication | 164.312(d) | User authentication via email and password. Optional password protection on individual file links for recipient verification. |
| Transmission Security | 164.312(e)(1) | All connections over TLS 1.2+. Files are additionally encrypted client-side before transmission, providing defense in depth. |
Business Associate Agreement
HIPAA requires that Covered Entities enter into a Business Associate Agreement (BAA) with any third-party service that handles electronic Protected Health Information (ePHI). FileShot provides a BAA for organizations on the Professional plan.
What the BAA covers
- Permitted uses and disclosures of ePHI
- Safeguards FileShot maintains to protect ePHI
- Breach notification obligations and timelines
- Return or destruction of ePHI upon termination
- HHS audit cooperation requirements
- Subcontractor obligations
How to obtain a BAA
- Subscribe to the Professional plan
- Contact hipaa@fileshot.io to request a BAA
- Review, countersign, and return the agreement
- Your account is marked as BAA-covered
Data handling practices
Data at rest
Files are stored as AES-256-GCM ciphertext. The server has no access to the decryption key. The ciphertext is indistinguishable from random data to anyone without the key, including FileShot operators.
Data in transit
All connections use TLS 1.2 or higher. Files are encrypted before transmission, so even if TLS were compromised, the file content remains protected by AES-256-GCM encryption.
Data retention and disposal
Files expire automatically based on the configurable retention period set at upload. Once expired, the ciphertext is permanently deleted from storage. No file data is retained beyond the expiration date. Users can also delete files manually at any time.
Audit log retention
Audit logs on the Professional plan are retained for a minimum of 6 years in accordance with 45 CFR 164.530(j). Logs contain operational metadata only — no file content, no filenames, no encryption keys.
Minimum necessary principle
FileShot's zero-knowledge architecture enforces the minimum necessary principle at the infrastructure level. The server never possesses more information than necessary because it cannot access file content at all.
Breach notification procedure
In the event of a security incident, FileShot follows the HIPAA Breach Notification Rule (45 CFR 164.400-414).
Incident detection and investigation
FileShot investigates any suspected security incident immediately. Due to the zero-knowledge architecture, a server compromise does not expose file content — only encrypted ciphertext is stored.
Risk assessment
A four-factor risk assessment is performed per 45 CFR 164.402: nature and extent of PHI involved, the unauthorized person who used the PHI, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. If file data was encrypted with keys not compromised, the safe harbor provision applies.
Notification to Covered Entities
If a breach of unsecured PHI is determined to have occurred, FileShot notifies affected BAA partners within 60 days of discovery, in writing, with a description of the incident, the types of information involved, recommended protective steps, and what FileShot is doing to investigate and mitigate.
Documentation and remediation
All incidents are documented and retained for 6 years. Root cause analysis is performed and corrective actions are implemented to prevent recurrence.
Ready to share medical files securely?
FileShot's Professional plan includes a BAA, audit logging, and the strongest encryption architecture available in a file sharing platform. Start with a free account, then upgrade when you need compliance features.
Security model · Technical whitepaper · BAA template · Healthcare use cases