The 2026 HIPAA Security Rule update changes the calculus for healthcare file sharing. Multi-factor authentication is on track to become mandatory for any system that touches electronic protected health information (ePHI). Encryption requirements are tightening. And the Office for Civil Rights (OCR) has signaled it will enforce the new rules aggressively once they finalize – likely in late 2026 or early 2027.
If your organization handles PHI and shares it with anyone outside your immediate team – a billing partner, outside counsel, a contract research organization, a payer, an auditor – you need a file-sharing platform that clears HIPAA’s bar today and the bar that’s coming. Free consumer tools do not, and the typical workarounds (email attachments, password-protected zips, public-link sharing) are precisely the practices the new rule is designed to push out of healthcare.
This is a practical 2026 buyer’s guide. What HIPAA actually requires for file sharing, what the proposed rule changes mean for your platform choice, the controls that separate marketing claims from real compliance, and a 12-question shortlist for vendor diligence.
What Does HIPAA Require for File Sharing?
HIPAA requires that any system used to share protected health information (PHI) enforce access controls, audit logging, integrity controls, transmission security, and a signed Business Associate Agreement with the vendor. Free consumer tools – including standard Dropbox, Google Drive, and email – do not meet these requirements out of the box.
The HIPAA Security Rule sets five categories of safeguards that any file-sharing solution touching PHI must implement. Three are technical (access controls, audit controls, transmission security), one is administrative (workforce policies, training, incident response), and one is physical (where the data lives and how that infrastructure is protected). For a cloud-based file-sharing platform, the technical safeguards do most of the work – but you can’t satisfy them without a properly executed Business Associate Agreement.
A BAA is the contract that makes a vendor legally accountable for the PHI you trust them with. Without one, no platform is HIPAA-compliant in your environment, no matter how strong its encryption is.
What’s Changing in the 2026 HIPAA Security Rule Update
In December 2024, the U.S. Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) modernizing the HIPAA Security Rule for the first time since 2013. The proposed rule has been winding through public comment and is expected to finalize in late 2026 or early 2027. Healthcare organizations should plan for the following changes:
- Mandatory multi-factor authentication for all systems accessing ePHI – including file sharing, EHRs, billing tools, and patient portals.
- Stronger encryption requirements for ePHI at rest and in transit, with explicit cryptographic algorithm specifications.
- A more rigorous risk analysis cadence – annual at minimum, with documented updates whenever systems or workflows change materially.
- New incident response timelines, including faster breach notification to affected individuals and HHS.
- Explicit requirements around vulnerability scanning, penetration testing, and asset inventory.
If your file-sharing vendor cannot enforce MFA on every account today, that is the single biggest gap to close before the rule finalizes. It also serves as a useful tell: vendors that have built the rest of the compliance picture properly already have MFA available – vendors that don’t are usually behind on the broader picture too.
HIPAA Technical Safeguards Mapped to File-Sharing Controls
| HIPAA Safeguard | What It Means | File-Sharing Control |
|---|---|---|
| Access Control (§164.312(a)) | Only authorized users access PHI | Role-based permissions, unique user IDs, automatic logoff, MFA |
| Audit Control (§164.312(b)) | Activity on PHI is logged and reviewable | Tamper-resistant audit trail capturing every view, download, share, and permission change |
| Integrity (§164.312(c)) | PHI is not improperly altered | Version control, checksums, secure file transfer protocols, immutable history |
| Person/Entity Authentication (§164.312(d)) | Users are who they claim to be | MFA, SSO with strong identity provider, federated access controls |
| Transmission Security (§164.312(e)) | PHI is encrypted in transit | TLS 1.2+, end-to-end encryption for sensitive workflows |
The Business Associate Agreement: What It Is and What to Look For
A Business Associate Agreement is the contract that extends HIPAA obligations from a covered entity (you) to a vendor handling PHI on your behalf (the file-sharing platform). The OCR has been clear: no BAA means no permitted disclosure, and using a vendor that has not signed one is itself a HIPAA violation – separate from any actual breach.
A complete BAA must do at least the following:
- Define permitted uses and disclosures of PHI by the vendor.
- Require the vendor to implement reasonable safeguards (the Security Rule controls).
- Require the vendor to report any breach or security incident to you within a defined timeframe.
- Require subcontractors of the vendor (cloud infrastructure, support contractors) to sign equivalent BAAs.
- Define what happens to PHI when the contract ends – return or destruction, with documentation.
Two common pitfalls. First: vendors that “say” they’re HIPAA-compliant but only offer a BAA on enterprise tiers. If your team is on the SMB plan, you’re not covered, no matter what marketing says. Second: BAAs that exclude certain features (chat, mobile apps, certain integrations) from coverage. Read the carve-outs.
Seven Must-Have Features in a HIPAA-Compliant File-Sharing Platform
- Encryption at rest and in transit – AES-256 at rest, TLS 1.2 or higher in transit. End-to-end encryption for the most sensitive workflows.
- Granular access controls – folder-level and document-level permissions, role-based access (RBAC), and the ability to restrict by IP range or geography.
- Audit trail that is tamper-resistant and queryable – every view, download, share, permission change, and login attempt logged for at least six years.
- Multi-factor authentication, enforceable for all users – including external collaborators, not just internal staff.
- Watermarking and digital rights management (DRM) for sensitive documents – particularly for clinical trial data, M&A, and outside-counsel workflows.
- Access expiration and revocation – links that auto-expire, the ability to kill access mid-engagement, and clear handling of shared content when a user leaves.
- Data residency controls – the ability to keep PHI in U.S. data centers, with documented disaster recovery and sub-processor disclosures.
Common HIPAA File-Sharing Mistakes (and How to Avoid Them)
OCR enforcement actions in recent years have surfaced the same handful of mistakes repeatedly:
- Staff using personal Dropbox or Google Drive accounts to move files between work and home. There is no BAA on a personal account, and the audit trail is unrecoverable.
- Emailing PHI as an attachment to outside parties because “it’s easier.” Standard email is not HIPAA-compliant; even encrypted email gateways require careful configuration.
- Sharing files via public links with no expiration, no password, and no audit trail. Links get forwarded; links get indexed.
- Signing a BAA at the master account level but allowing departments to spin up free accounts that aren’t covered.
- Treating “we have encryption” as the end of the compliance conversation. Encryption is necessary; it is not sufficient.
- Not reviewing the audit trail. Logs that no one looks at do not constitute audit control under §164.312(b).
Vendor Evaluation Checklist: 12 Questions Before You Sign
- Will you sign a Business Associate Agreement that covers every feature we plan to use?
- Where does our data live? Can we enforce U.S.-only residency?
- What encryption algorithms do you use at rest and in transit? Provide your latest SOC 2 Type II and HITRUST CSF attestations.
- How is multi-factor authentication enforced, and can we require it for external collaborators?
- Walk us through your audit trail. How long is data retained, and can we export it?
- What is your breach notification timeline, and what does notification include?
- How do you handle access for users who leave their organization – both ours and yours?
- Who are your sub-processors? Have they signed equivalent BAAs?
- Show us a sample incident response report from a real (anonymized) incident.
- What happens to our PHI when the contract ends? In what format, and how is destruction verified?
- How are software updates and patches managed? What’s your vulnerability disclosure program?
- Can you provide three customer references in healthcare, in roles equivalent to ours?
Govern 365 is a strong, Microsoft 365 native governance and secure collaboration platform. Overall, it comes close to becoming a contender in the governance and secure collaboration market.
Christopher Dixon
Senior IT Director
At this point, the challenge is not understanding HIPAA requirements – it’s ensuring your file-sharing platform can enforce these controls consistently across real-world workflows, especially when external collaborators are involved. This is where many general-purpose tools fall short.
How Govern 365 Approaches HIPAA-Compliant File Sharing
Govern 365 is built on Microsoft 365 – which means HIPAA-compliant file sharing inherits the technical safeguards already attested to by Microsoft under its Office 365 HIPAA BAA. What Govern 365 adds on top is the controlled-collaboration layer healthcare teams need for sensitive workflows: regulated rooms with built-in audit trails, granular permissions that survive forwarding, watermarking and DRM for clinical and BD content, and access expiration that does not depend on humans remembering to revoke.
For organizations already running Microsoft 365, Govern 365 means HIPAA-compliant file sharing without adding another tool, another vendor relationship, or another BAA. For organizations evaluating their stack, it means starting from the most defensible compliance posture in the market.
See it in your environment. Book a Govern 365 demo focused on your HIPAA file-sharing use case.
Frequently Asked Questions
Google Workspace can be configured to be HIPAA compliant if you sign Google’s Business Associate Agreement and properly configure access controls, audit logs, and sharing restrictions. The free consumer version of Google Drive is not HIPAA compliant under any configuration – no BAA is available.
Dropbox Business and Dropbox Enterprise offer a BAA and can be configured for HIPAA compliance. Standard Dropbox personal accounts cannot. Configuration matters: a BAA is necessary but not sufficient. You still need to enforce MFA, audit logs, retention, and access control policies on your end.
Standard email is not HIPAA compliant. Email encryption gateways and HIPAA-compliant email services exist (Paubox, Virtru, Microsoft 365 with Message Encryption), but each requires a BAA, proper configuration, and disciplined use. Most HIPAA breaches involving email come from sending PHI to the wrong address, not from technical encryption failures.
HIPAA requires that documentation of policies, procedures, and actions be retained for six years from the date of creation or last effective date – whichever is later. For audit trails of PHI access, the conservative practice is to retain logs for at least six years and to make them queryable so they can support a breach investigation.
There is no official “HIPAA certification.” HHS does not certify products or vendors. Any vendor claiming HIPAA certification is using marketing language; what matters is whether the platform has implemented the required safeguards, signed a BAA, and undergone independent attestations like SOC 2 Type II or HITRUST CSF that can be reviewed during your vendor diligence.
