Dropbox offers healthcare organizations a simple tool to store and share files, but is Dropbox HIPAA compliant? Can entities use Dropbox to save or transfer protected health information (PHI)?
Is Dropbox HIPAA Complaint?
Dropbox offers a service where files can be saved to cloud storage and shared with other users. Many individuals and companies share files via Dropbox accounts, but can it be used to share PHI? Is Dropbox HIPAA compliant?
Dropbox has stated that they are compatible for use under HIPAA and the HITECH Act, however this does not necessarily mean that Dropbox is HIPAA compliant. Software or file hosting services cannot be said to be HIPAA complaint in and of themselves, as compliance is dependent on how people make use of these tools. With this in mind, it is possible for healthcare organizations to use Dropbox to save or transfer PHI while still remaining compliant with HIPAA regulations.
Before PHI can be transferred from a HIPAA-covered entity to another entity, a Business Associate Agreement (BAA) must be put in place between these two organizations. As Dropbox is a business, a BAA must be established before PHI can be uploaded to any Dropbox account.
Dropbox has previously signed BAAs with HIPAA-covered entities. It is of the utmost importance that the BAAis signed before any PHI is made available on Dropbox. If data is uploaded before an agreement is in place, that would be a HIPAA violation. A BAA is available from Dropbox on the Account page of the Admin Console and it is acceptable to sign it electronically.
While third party apps are compatible for use with Dropbox, it should be noted that a BAA with Dropbox does not include any agreement with these third parties. Should the company wish to use third party apps, they must be reviewed independently before being used when PHI may be affected.
Dropbox Accounts must be Carefully Configured
Under HIPAA, healthcare organizations must protect the confidentiality, integrity, and availability of PHI. This means that the correct settings must be applied for use of the Dropbox account to be HIPAA compliant. A signed BAA does not prevent HIPAA violations from occurring.
The account settings should ensure that PHI cannot be accessed by unauthorized individuals and sharing permissions can be established to prohibit files being shared with non-team members. Two step authorization should also be enabled as a further protection against unauthorized access.
It is important that files containing PHI cannot be permanently deleted. This can be done by disabling permanent deletions in the Admin Console, which will prevent files from being lost for good.
Access logs must also be kept for the Dropbox account to verify that only authorized actors have accessed PHI data. Access should be restricted to people currently requiring access to PHI and any staff changes or departures should be quickly managed by the administrator. Linked devices should also be verified often. One feature of Dropbox is the ability to remotely delete Dropbox content from linked devices and this should be used if an employee leaves or should a device be misplaced or stolen.
User activity is stored by Dropbox. This means that records of content shared or administrator activities and authorizations can be created. These records should be checked often.
Dropbox’s account management teams can provide information on internal practices as well as independent reports on security measures that they have put in place to protect data. These are available on request.
To summarize, is Dropbox HIPAA compliant? It is a protected platform with measures in place to prevent unauthorized access. Still, Dropbox can only be compliant if the people who use it do not violate any HIPAA rules. With a BAA in force and the correct settings, it is possible for healthcare organizations to use Dropbox to store and transfer PHI to authorized parties and remain compliant with all HIPAA regulations.