Share this article on:
Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information?
Is Dropbox HIPAA Compliant?
Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant?
Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules.
The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required.
Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA violation, the BAA must be obtained before any file containing PHI is uploaded to a Dropbox account. A BAA can be signed electronically via the Account page of the Admin Console.
Dropbox allows third party apps to be used, although it is important to note that they are not covered by the BAA. If third party apps are used with a Dropbox account, covered entities need to assess those apps separately prior to their use.
Dropbox Accounts Must be Configured Carefully
HIPAA requires healthcare organizations to implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to configure a Dropbox account correctly. Even with a signed BAA, it is possible to violate HIPAA Rules when using Dropbox.
To avoid a HIPAA violation, sharing permissions should be configured to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be set to prevent PHI from being shared with any individual outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.
It should not be possible for any files containing PHI to be permanently deleted. Administrators can disable permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the lifetime of the account.
It is also essential for Dropbox accounts to be monitored to ensure that PHI is not being accessed by unauthorized individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organization. The list of linked devices should also be regularly reviewed. Dropbox allows linked devices to have Dropbox content remotely wiped. That should occur when a user leaves the organization of if a device is lost or stolen.
Dropbox records all user activity. Reports can be generated to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly reviewed.
Dropbox will provide a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has implemented to help keep files secure. Those documents can be obtained from the account management team.
So, is Dropbox HIPAA compliant? Dropbox is secure and controls have been implemented to prevent unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is obtained and the account is correctly configured, Dropbox can be used by healthcare organizations to share PHI with authorized individuals without violating HIPAA Rules.