Skip to main content
Code42 Support

Configuring SharePlan For Use With HIPAA

Applies to:

    Overview

    SharePlan can be configured to support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This article provides guidance on configuring SharePlan for use with HIPAA.

    Obtain a Business Associate Agreement (BAA)

    Before using SharePlan in an environment that requires HIPAA compliance, you must obtain a Business Associate Agreement (BAA) with Code42.

    Note that your SharePlan deployment must use an on-premises master server. Without an on-premises master server, you cannot obtain a BAA with Code42.

    Configure SharePlan for use with HIPAA

    After obtaining a BAA with Code42, you must take the following steps to configure SharePlan for use with HIPAA:

    Use an on-premises Master server

    Your SharePlan deployment must use an on-premises master server. This ensures that you directly control the encryption keys for your data.

    Verify Enterprise Server version

    SharePlan version 4.1.4 or later is required to configure SharePlan in a HIPAA-supported manner.

    • To find the current version of your Code42 environment:
      1. Sign in to the administration console.
      2. Select Settings.
      3. Review the Current server version.
    • To upgrade an enterprise server from an earlier version, follow our instructions for Upgrading Your Environment. For assistance with upgrading, please contact sales about engaging Code42's PRO Services team.
    • SharePlan user devices must also use SharePlan version 4.1.4 or later. If you need to upgrade your server environment, make sure all user devices are also upgraded.

    Disable link sharing

    To support HIPAA requirements, you must disable link sharing in order to prevent unauthorized distribution of protected data. Based on your specific policies and procedures for HIPAA, you may wish to disable link sharing at a global level, or individually for specific organizations.

    For more information on the steps presented here, see Configuring Access To Shared Links.

    Disabling Link Sharing

    Disable globally

    Follow these steps to disable link sharing for all SharePlan users:

    1. Sign in to your administration console
    2. Go to Settings > Organization > Sharing
    3. Deselect Enable link sharing
    4. Click Save

    Disable for an organization

    Follow these steps to disable link sharing for SharePlan users in a single organization:

    1. Sign in to your administration console
    2. Go to Organizations
    3. Select an organization
    4. Go to Action menu > Edit > Sharing
    5. Deselect Inherit sharing settings from parent, if necessary
    6. Deselect Enable link sharing
    7. Click Save
    Disabling inheritance
    If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.

    Reviewing audit trails

    SharePlan automatically logs user, plan, and configuration activity. To gather information about SharePlan activity, you can audit your SharePlan logs in three main categories:

    Use unique accounts
    As a best practice, Code42 recommends using unique accounts for all administrators and users. This gives you a greater ability to use your logs and the Code42 API to monitor the behavior of personnel.

    Audit link sharing logs

    SharePlan logs changes to user roles in the history log. You can produce an audit record of the relevant sections of the history log by using a text search tool, such as grep, to search for the term quickshare_enable.

    Example entries in the history log showing changes to the link sharing setting:

    I 09/12/14 09:57AM Subject[1/admin, orgId:1] Updated setting quickshare_enable to false
    I 09/12/14 09:59AM Subject[1/admin, orgId:1] Updated setting quickshare_enable to true
    

    You may also use the Code42 API to monitor the status of the link sharing setting.

    Audit user creation & deactivation

    SharePlan logs user creation, deactivation, and reactivation in the history log. You can produce an audit record of the relevant sections of the history log by using a text search tool, such as grep, to search for the following terms:

    Example entries in the history log of user creation:

    I 09/15/14 09:40AM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:PROe User
    I 09/15/14 09:40AM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:Desktop User
    

    Example entry in the history log of user deactivation:

    I 09/15/14 09:41AM Subject[1/admin, orgId:1] deactivated user: 4/ruby.stark
    

    Example entry in the history log of user reactivation:

    I 09/15/14 09:43AM Subject[1/admin, orgId:1] activated user:4/ruby.stark
    

    You may also use the Code42 API to monitor user creation, deactivation, and reactivation.

    Audit plan events

    You can monitor file activity in SharePlan with the Code42 API.

    The PlanEvent API call retrieves log information about plan and user events. Find details about using the PlanEvent API call using the API Doc Viewer on your enterprise server.

    For information on monitoring SharePlan with the Code42 API, contact sales about engaging Code42's PRO Services team.

    Additional assistance

    If you have questions or need additional assistance configuring SharePlan for use with HIPAA, please contact sales about engaging Code42's PRO Services team.

    External resources

    For a detailed explanation of HIPAA requirements, please reference the following resources from the U.S. Department of Health & Human Services: