Is Dropbox HIPAA Compliant?

Dropbox is a popular file hosting service used by over 500 million people worldwide. It is becoming increasingly popular with businesses and organisations as a way of storing files, as it reduces costs by reducing the amount of storage space needed to store records. It has an intuitive, user-friendly interface, and a premium plan for businesses who wish to use it in a professional setting. 

However, users in the healthcare industry must be wary. The Health Insurance Portability and Accountability Act (HIPAA) has strict stipulations on the storage of healthcare data. Adequate safeguards must be in place to ensure that unauthorised individuals cannot access the protected health information (PHI) of individuals. Any method a healthcare organisation uses to store files must comply with these rules. This includes any third-party file hosting services they may wish to employ. 

Dropbox claims that it has implemented measures that now make its software both 

HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is used as well as the software’s design. Under certain circumstances, healthcare organisations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules.

Under HIPAA, any covered entities (CEs) that wish to share PHI with a third party, even if the files are shared for storage purposes only, must enter into a business associate agreement (BAA) them. This type of arrangement applies to any CE that wishes to use Dropbox for PHI. The BAA must be obtained before any file containing PHI is uploaded to a Dropbox account to prevent a violation from occurring. A BAA can be signed electronically via the Account page of the Admin Console.

Dropbox allows third-party apps to be used in conjunction with its services. The BAA does not cover these apps. If third-party apps are used with a Dropbox account, covered entities need to perform a separate risk assessment on those apps separately before their use.

HIPAA’s Rules and Dropbox

HIPAA’s Security Rule requires healthcare organisations to implement safeguards to preserve the confidentiality, integrity and availability of PHI. One of the most critical aspects of ensuring that the use of Dropbox is compliant with the Security Rule is to configure the account correctly. Even with a signed BAA, it is possible to violate HIPAA Rules when using Dropbox if the appropriate measures are not taken when setting up the account. 

Sharing permissions should be configured to ensure only authorised individuals can access files containing PHI. Sharing permissions can be set to prevent PHI from being shared with any individual outside of a team. Two-step verification should only be used as an additional safeguard against unauthorised access.

HIPAA also requires there to be accountability when it comes to the handling of PHI. It should be made impossible for PHI to be permanently deleted.  Administrators can achieve this via the Admin Console, where there is an option to disable permanent deletions. Any files uploaded onto the account will then stay on the account for as long as it is active. 

It is also essential for Dropbox accounts to be monitored to ensure that unauthorised individuals are not accessing PHI. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organisation. Administrators are also recommended to review the list of linked devices regularly to prevent unauthorised access. Dropbox allows linked devices to have Dropbox content remotely wiped. That should occur when a user leaves the organisation or if a device is lost or stolen.

Dropbox records all user activity. It can generate reports detailing who has shared content, information on authentication, and the activities of account administrators. Those reports should be regularly reviewed to ensure that PHI is properly handled per HIPAA. 

Dropbox will provide a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has implemented to help keep files secure. The account management team can then obtain those documents.

In summary, Dropbox can be a secure method of storing PHI provided the account is configured correctly. If a BAA is obtained and the account administrator regularly monitors account activity, Dropbox has the right measures in place to be used by healthcare organisations to share PHI with authorised individuals in total compliance with HIPAA Rules.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA