Is Dropbox HIPAA compliant?
Dropbox is HIPAA compliant and can be used to store and share files containing Protected Health Information provided HIPAA-covered organizations subscribe to a plan that supports HIPAA compliance and the file hosting service is configured so it is used in compliance with HIPAA.
Dropbox is a popular file storage and sharing service that can enhance communications and productivity within healthcare teams. The service integrates with other communication and productivity services such as Google Workspace, Microsoft Office 365, and Slack, to expand the capabilities of each and to transfer data from each into a single, secure repository.
However, if the file hosting service is used by a covered entity or business associate to create, receive, store, or transmit Protected Health Information (PHI), it is necessary for Dropbox to be HIPAA compliant. It is also necessary for the customer to configure the service so it is used in compliance with HIPAA and to enter into a Business Associate Agreement with Dropbox.
Is Dropbox HIPAA Compliant?
There is no straightforward answer to the question is Dropbox HIPAA compliant because Dropbox only supports HIPAA compliance for organizations that subscribe to a Business, Business Plus, or Enterprise plan. Dropbox does not support HIPAA compliance for individual healthcare providers nor subscribers to the Dropbox Education plan.
Thereafter, depending on what other security and compliance tools are already being used by an organization, it may be necessary to purchase an add-on or upgrade the type of subscription in order to access services such as tiered admin roles, audit logs, and data recovery following a ransomware attack. This can make Dropbox expensive compared to some competitors.
Making Dropbox HIPAA Compliant
If Dropbox is a cost-effective solution to an organizationโs storage and file sharing requirements, it is necessary to make Dropbox HIPAA compliant before using the service to create, receive, or store PHI. Because of the different ways in which healthcare organizations can use Dropbox, there is no one-size-fits-all guide to making Dropbox HIPAA compliant.
However, Dropbox provides a comprehensive Learning Center which provides valuable advice for administrators, teams, and individual users on how to use Dropbox. Unfortunately, none of the advice explains how to use Dropbox in compliance with HIPAA. This will have to be explained to members of the workforce during HIPAA training or security awareness training.
The Dropbox BAA and Admin Considerations
Before a HIPAA covered entity or business associate uses the file storage service to create, receive, or store PHI, it is also necessary to enter into a Business Associate Agreement with Dropbox. Like many large software companies, Dropbox offers customers a standard Agreement and will not enter into separate Agreements with individual organizations.
However, several levels of Admin can digitally sign the Business Associate Agreement (there are eight pre-built Admin levels in Dropbox), so it is necessary for top-level Admins to carefully consider what permissions are granted to each lower level Admin when configuring Dropbox. The permissions granted to each level of Admin are also important to prevent security issues.
Security Issues and the Difficulty in Identifying Them
Although Dropbox itself is very secure, security issues are most likely when Admins integrate non-compliant apps into Dropbox or connect a compliant app to Dropbox using non-compliant middleware. Although the integration of non-compliant software is usually the result of wanting โto get the jobโ done, non-sanctioned โShadow ITโ is often overlooked in risk assessments.
Due to the complexity of configuring Dropbox to be HIPAA compliant, it is possible gateways are left open for Shadow IT to be installed. If this happens, potential risks may not be identified and mitigated. While this risk exists with many popular software solutions, it seems more likely with Dropbox unless top-level Admins have the expertise to manage Admin compliance.
For this reason, it is important to balance the potential risks against the potential benefits when evaluating Dropbox. Organizations and compliance teams who require assistance with identifying potential risks – or configuring Dropbox to prevent them – should seek professional compliance advice from a source familiar with using Dropbox in healthcare.