Sync Pro Solo Professional, Pro Solo Unlimited, and all Pro Teams plans include HIPAA compliance. Sync will sign a HIPAA Business Associate Agreement (BAA) on request once you have purchased one of these plans.
Sync is an ideal HIPAA Business Associate for Covered Entities. All data stored on our servers is encrypted. There is no unsecured Protected Health Information (PHI) stored on our servers or available to Sync, its employees, or its subcontractors. See our HIPAA agreement (PDF)
How to use Sync in a HIPAA-compliant way
While Sync provides the tools and safeguards needed to support HIPAA compliance, the Covered Entity, meaning your organization, is responsible for ensuring PHI is only shared with people who are legally entitled to access it.
Your organization is also responsible for managing who has access to PHI in Sync. Using Sync features, access can be granted or revoked at any time as needed.
Employees of the Covered Entity must be added as users under a qualifying Sync account with a signed BAA. This includes any external vendors, subcontractors, or other parties who are initiating sharing or managing access to PHI on your organization’s behalf.
Recipients of shared PHI, such as your clients or customers, do not require a paid Sync seat or a separate HIPAA agreement with Sync. Depending on the sharing method used, they may access the information using a free Sync account, such as for shared folders, or with no Sync account at all, such as for secure links.
To help maintain HIPAA compliance when using Sync:
When sharing with links, always set a password and expiry date, and ensure all recipients are legally authorized to access the PHI being shared.
When sharing with team shared folders, use folder permissions and Remote Wipe, and ensure all recipients are legally authorized to access the PHI being shared.
Secure PHI on local devices by using safeguards such as unique passwords, two-factor authentication, employee training, and other appropriate administrative, technical, and physical controls.
For more information, see What can I do to ensure my files are encrypted and my Sync account is secure?
Covered Entity responsibilities are outlined in the HIPAA BAA, including Section E and specifically Section E4.