| xTy Technology | FileBuffer | Download xTyFileCrypter | Download xTyFTP | Download xTyCrypto API | Download xTyAESCrypter API |

HIPAA Compliance Frequently Asked Questions
Your questions will always be answered.
 Questions: support@xtytech.com
Contents: Encryption software products provided by xTy Technology (including xTyFileCrypter, xTyFTP, FileBuffer, AES Encryption API, and RSA and AES Encryption API) meet the HIPAA data security requirements. This article answers some of the most frequently asked questions.

What is HIPAA?
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. It imposes standards for the privacy and protection of all electronic health information. HIPAA affects all health-related organizations in the United States, including all health systems, HMOs and health care support services, and so on. One of the general objectives of HIPAA is to protect the health information of individuals against access without proper authorization. The main part of HIPAA is about the secure storage on computer systems and transmission over computer networks of confidential patient data.

HIPAA regulations were released in December 2000 and went into effect in April 2003. All covered entities are required to become compliant with HIPAA by April 211, 2005.

What software can I use for HIPAA encryption?
Secure File Transfer Service: FileBuffer is a cost-effective combination of FTP hosting service and the powerful file transferring software xTyFTP. It is very easy to use. If you are currently paying both, you may want to look at this. More information...

FTP Software: If you use FTP to send or receive files, you can use xTyFTP. xTyFTP encrypts files before they are transmitted, and decrypts files after they are downloaded. The files are never exposed to the public network. When the encryption function is enabled, no secure connection such as SSL is needed. Furthermore, you can set up xTyFTP so that files will be encrypted and transferred automatically from specified folders (How to...).

E-Mail: If you use regular email to send or receive files, you can use xTyFileCrypter to encrypt your files and folders easily within Windows Explorer, then send them as email attachments. xTyFileCrypter allows you to encrypt a large number of files and folders altogether into a single file. With this feature, you can encrypt and send as many files or folders as you want in a single attachment. The ZIP file maintains the original folder structure. (How to encrypt?) (How to decrypt?)

Also, a free file decrypter is now available at http://www.xtytech.com/src/xTyFileDecrypter/xTyFileDecrypterSetup.exe. If your clients don't need to encrypt files, they can download and install this small package.

Web Browsers: If you use a web server to deliver Personal Health Information (PHI), you can use the xTyCrypto or xTyAESCrypter with your server pages to dynamically encrypt web page contents, or you can also use xTyFTP or xTyFileCrypter to create pre-encrypted pages.

What are the features of xTyFTP?
Easy-to-use is probably the most obvious feature of xTyFTP. In addition to the features listed here,

xTyFTP can be easily set up to do fully-automated secure file transfer. Once this is done, files and folders dropped into the specified folder will be automatically encrypted and transferred to the server. Files and folders in the specified remote folder will be downloaded and decrypted automatically.

xTyFTP also allows you to easily set up client/contractor connection profiles so that
  1. your clients/contractors can automatically connect to the server without knowing or entering account information on the server;
  2. your clients/contractors can only view or access the folders that you specified;
  3. you can easily terminate the granted account access on the server at any time;
  4. you can optionally specify the encryption key that your clients/contractors must use to transfer files.
The xTyFTP User Guide contains the detailed instructions on this.

What is FileBuffer?
FileBuffer is an Online Secure File Transfer Service. It allows you to easily exchange files with your contractors or clients.

A unique feature of FileBuffer is that your files are encrypted when they are transmitted AND STAY ENCRYPTED ON THE SERVER. So nobody including server administrors will be able to open your files.

Other similar services or software encrypt your files when they are transmitted, but your files are NOT encrypted when they are stored on their servers. So unless you own the server, such services are not quite HIPAA compliant.

What can xTyFileCrypter do?
xTyFileCrypter is fully integrated with Windows Explorer and runs on all Windows platforms. You can select the files and folders within Windows Explorer, encrypt them and pack them into a standard ZIP file. You can then email the ZIP file as an attachment.

What encryption technology is used in xTy Technology software?
xTy Technology software products use the FIPS-approved Rijndael symmetric key encryption algorithm ( FIPS-197) in all file encryption and web data encryption. They support the industrial-strength of 128, 192, and 256-bit encryption. The encryption strength required by HIPAA is symmetric key of 128 bits or asymmetric key of 1024 bits.

Since the transmission of the information is through a regular unsecured FTP connection, how does it meet HIPAA compliance?
In the world of symmetric key encryption (also called secret key encryption), data files are encrypted using a separate piece of data called key. Once the data is encrypted, only the person(s) who knows the key can decpryt the data no matter where it is stored or how it is transmitted. For example, a man-in-the-middle probably can intercept the data during the transmission. However, he will not be able to decrypt the data.

xTyFTP encrypts the data before it leaves your computer and stays encrypted on the server. When the data is downloaded, it is NOT decrypted until it is fully downloaded to your computer with the correct key. In normal file transmission with secure connections and secure servers, the transmission is also encrypted and secure. However, data stored in the (secure) server is not encrypted and is widely open to the server administrators or possibly intruders.

Data encryption is not all of the HIPAA regulations. Full compliance of HIPAA requires organizations to maintain appropriate policies, procedures in data handling. For example, access controls must be enforced so that the data is not deleted or damaged by unauthorized persons.

How does the AES encryption compare with 128-bit encryption used in many web transactions? Is AES a higher standard of encryption?
The Rijndael AES encryption is so far the most efficient and reliable symmetric encryption algorithm, and it is the NIST-approved Advanced Encryption Standard ( FIPS-197). The previous standard was FIPS-181 DES standard (Data Encryption Standard). Information about this can be found on the NIST website.

I am currently using other FTP software. Is there any other HIPAA-compliant software that I can use to encrypt data?
Yes. xTyFileCrypter uses the same encryption technology as xTyFTP, and it is fully compatible with xTyFTP. It allows you to easily encrypt and decrypt data within Windows Explorer.

Since both xTyFTP and xTyFileCrypter are integrated with Windows Explorer, you can conveniently access xTyFileCrypter within xTyFTP.

Typically, if you want to send data that requires protection under HIPAA in email, you can use xTyFileCrypter to encrypt it and send it as an email attachment. Then the recipient can save the attachment and use the same software to easily decrypt it.





| xTy Technology | xTyFileCrypter | xTyFTP | xTyHTMLDecrypter | xTyCrypto | xTyAESCrypter | Download | Support |