HIPAA — LiquidFiles Compliance Mapping
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR Part 164) establishes standards for protecting electronic Protected Health Information (ePHI). The Security Rule defines three categories of safeguards: Administrative, Physical and Technical. This page maps the HIPAA safeguards to the capabilities LiquidFiles provides as a secure file transfer product.
A downloadable spreadsheet with all the control mappings is available at the bottom of this page.
Why LiquidFiles Doesn't Sign Business Associate Agreements
Under HIPAA, a Business Associate Agreement (BAA) is required when a third party creates, receives, maintains or transmits ePHI on behalf of a covered entity. LiquidFiles is a self-hosted product — we sell you the software, you install and operate it on your own infrastructure. We don't host your data, we don't manage your systems, and we have no access to your LiquidFiles installation or any ePHI transferred through it.
Since we never create, receive, maintain or transmit ePHI on your behalf, we are not a Business Associate under HIPAA and a BAA is not applicable. Your LiquidFiles system is entirely within your control, just like your email server or database.
What is relevant is whether LiquidFiles as a product provides the technical safeguards needed to protect ePHI within your environment. That is what this page addresses.
How to Use This Page
The HIPAA Security Rule defines three categories of safeguards:
- Administrative Safeguards (§164.308) — security management, workforce security, information access, training, contingency planning.
- Physical Safeguards (§164.310) — facility access, workstation security, device and media controls.
- Technical Safeguards (§164.312) — access control, audit controls, integrity, authentication and transmission security.
LiquidFiles primarily addresses the Technical Safeguards. Some implementation specifications are marked as Required (must be implemented) and others as Addressable (must be implemented or a documented alternative must be provided based on risk assessment).
Technical Safeguards (§164.312)
Access Control — §164.312(a)(1)
| Type | Specification | LiquidFiles Capability |
|---|---|---|
| (R) | Unique User Identification — §164.312(a)(2)(i) | Every user has a unique account identified by email address. LDAP/Active Directory integration ensures identities are managed centrally. Shared accounts are not required or encouraged. See LDAP Configuration. |
| (R) | Emergency Access Procedure — §164.312(a)(2)(ii) | Customer responsibility. Your emergency access procedures. LiquidFiles provides a Sysadmin role with console access. If all admin accounts are locked out, access can be recovered via console commands (ft add_admin / ft reset_admin) requiring physical or console access to the system. |
| (A) | Automatic Logoff — §164.312(a)(2)(iii) | Configurable session timeout. Sessions automatically expire after a period of inactivity. The timeout duration and "Remember Me" behaviour are configurable. See Session Timeout. |
| (A) | Encryption and Decryption — §164.312(a)(2)(iv) | Full disk encryption (LUKS/AES-256) available for data at rest. FIPS 140-3 mode available via Ubuntu Pro for validated cryptographic modules. See Full Disk Encryption and FIPS Mode. |
Audit Controls — §164.312(b)
| Type | Specification | LiquidFiles Capability |
|---|---|---|
| (R) | Audit Controls | All uploads, downloads, login activity (successful and failed) and admin activity are logged. System log available in Admin → System Log. Message log with configurable retention (default 365 days). Syslog forwarding to external servers for long-term retention, SIEM integration and independent review. See Logging and Auditing. |
Integrity — §164.312(c)(1)
| Type | Specification | LiquidFiles Capability |
|---|---|---|
| (A) | Mechanism to Authenticate ePHI — §164.312(c)(2) | Files are transferred over TLS 1.2/1.3 with authenticated encryption (AES-256), ensuring integrity in transit. ClamAV scanning verifies uploaded files are not compromised by malware. The audit log records the complete transfer chain including sender, recipients and timestamps. |
Person or Entity Authentication — §164.312(d)
| Type | Specification | LiquidFiles Capability |
|---|---|---|
| (R) | Authentication | Multiple authentication methods: local username/password with configurable password policy (CrackLib dictionary validation), LDAP/AD, SAML2 SSO (Azure AD, Okta, ADFS). Strong two-factor authentication via TOTP, SMS or Duo Security, enforceable per group. Brute force protection blocks repeated failed attempts. See Strong Authentication. |
Transmission Security — §164.312(e)(1)
| Type | Specification | LiquidFiles Capability |
|---|---|---|
| (A) | Integrity Controls — §164.312(e)(2)(i) | TLS 1.2/1.3 with authenticated encryption ensures data is not altered in transit. HSTS enforces encrypted connections. Default configuration achieves an A+ rating on SSL Labs. See Web Server, SSL and Transmit Encryption. |
| (A) | Encryption — §164.312(e)(2)(ii) | All web traffic encrypted with TLS 1.2/1.3 (AES-256) with strong cipher suites. FIPS 140-3 mode available via Ubuntu Pro. SFTP/FTPS available for automated file transfer. See SSL Labs Validation. |
Relevant Physical Safeguards (§164.310)
Physical safeguards are primarily about your facilities and equipment. One area where LiquidFiles contributes:
| Type | Specification | LiquidFiles Capability |
|---|---|---|
| (R) | Device and Media Controls — §164.310(d)(1) | Full disk encryption (LUKS/AES-256) ensures data is unreadable on decommissioned media. Configurable automatic message and file deletion with retention policies. The appliance model means all data is contained in a single virtual disk. See Full Disk Encryption. |
Relevant Administrative Safeguards (§164.308)
Administrative safeguards are primarily about your organisation's policies and procedures. Areas where LiquidFiles provides supporting capabilities:
| Specification | LiquidFiles Capability |
|---|---|
| Information Access Management — §164.308(a)(4) | Role-based access (Sysadmin/Admin/User). Group-based permissions controlling send and receive rights. LDAP/AD integration for centralised access management. Admin network restrictions. Configurable user auto-expiration. |
| Security Incident Procedures — §164.308(a)(6) | Comprehensive audit logging supports incident identification. Brute force detection and auto-blocking. Syslog forwarding to SIEM for alerting. Your incident response procedures are your responsibility. |
| Contingency Plan — §164.308(a)(7) | Shared responsibility. Built-in backup and restore tools. VM snapshot support. Your contingency plan, testing and documentation are your responsibility. |
Customer Responsibility
Because LiquidFiles is a self-hosted product and LiquidFiles as a company never accesses ePHI, the following HIPAA areas are entirely your organisation's responsibility:
- Administrative safeguards — security management, risk analysis, workforce security, training, evaluation, BAAs with your own business associates.
- Physical safeguards — facility access controls, workstation security (except device/media controls where encryption helps).
- Policies and procedures — your HIPAA policies, documentation and six-year retention of compliance evidence.
- Configuration — how you have configured LiquidFiles (we can describe capabilities, not your actual configuration).
- Risk analysis — your determination of which controls are reasonable and appropriate, particularly for Addressable specifications.
For more context on this distinction, see our Vendor Onboarding Forms page.
Download
A spreadsheet with the HIPAA safeguard mapping for LiquidFiles is available for download.