File sharing that satisfies HIPAA — not just checks a box
Most “HIPAA-compliant” file sharing tools encrypt data and call it done. MnemoShare goes further: identity-bound access, ephemeral credentials, dynamic access questionnaires, and evidence-grade audit trails.
Built for covered entities, business associates, and anyone exchanging PHI externally.
What HIPAA actually requires for file sharing
The HIPAA Security Rule (45 CFR § 164.312) specifies technical safeguards that apply to any system handling electronic protected health information (ePHI). Encryption alone is not enough.
Access Control
§164.312(a) — Only authorized persons should access ePHI. MnemoShare uses identity-bound, ephemeral credentials — every access tied to a verified person, never a shared key.
Audit Controls
§164.312(b) — Record and examine activity in systems containing ePHI. MnemoShare produces structured, immutable audit events exportable to WORM storage.
Encryption
§164.312(e) — Protect ePHI in transit and at rest. MnemoShare uses TLS 1.3 in transit and AES-256-GCM at rest with customer-controlled encryption keys.
Person Authentication
§164.312(d) — Verify a person is who they claim to be. SSO integration, enforced MFA, and optional hardware-backed mTLS with TPM/YubiKey.
Integrity Controls
§164.312(c) — Protect ePHI from improper alteration or destruction. SHA-256 checksums verify file integrity. AES-256-GCM provides authenticated encryption.
Authorization Verification
Beyond HIPAA minimums — MnemoShare requires recipients to answer configurable questions before accessing files, documenting authorization at the point of access.
Why encryption alone isn't HIPAA-compliant file sharing
Many tools call themselves “HIPAA-compliant” because they encrypt data. But HIPAA requires much more than encryption — and most breaches don't involve breaking encryption at all.
Encryption-only solutions miss
- ✕Who accessed the file and whether they were authorized
- ✕Whether the shared link was forwarded to unauthorized parties
- ✕Evidence of authorization at the point of access
- ✕Tamper-evident audit trail for investigations
- ✕PHI detection before the file leaves the organization
MnemoShare provides
- Identity-bound access — every action tied to a verified person
- Ephemeral credentials that can't be shared or reused
- Dynamic questionnaires documenting authorization
- Immutable audit export to WORM storage
- Real-time PHI/PII detection and malware scanning
Business Associate Agreement
BAAs available for SaaS customers. Self-hosted deployments run entirely within your infrastructure — MnemoShare never accesses your ePHI.
Self-Hosted or Managed SaaS
Deploy in your own infrastructure for maximum control, or use our managed SaaS with dedicated instances. Your encryption keys stay under your control either way.
Ready for file sharing that actually supports HIPAA?
See how MnemoShare goes beyond encryption to provide the access controls, audit trails, and evidence your compliance program needs.