Dropbox is a widely-used file hosting service used by many groups to share files, but is Dropbox HIPAA compliant? Is permitted to use it to share protected health information?
Dropbox is confident that it now adheres to the requirements of HIPAA and the HITECH Act compliance. However, that does not mean Dropbox is HIPAA compliant. No software or file sharing systems can be completely HIPAA compliant as it depends on how the software or platform is used and the individuals using it. Despite this, healthcare groups can use Dropbox to share or store files that include protected health information without breaching HIPAA regulations.
The Health Insurance Portability and Accountability Act demands covered bodies to complete a business associate agreement (BAA) with a body before any protected health information (PHI) is accessed. Dropbox is defined as a business associate so a BAA is necessary.
Dropbox is happy to complete a business associate agreement with HIPAA-covered groups. To prevent a HIPAA violation, the BAA must be completed by parties prior to any file containing PHI being uploaded to a Dropbox platform. A BAA can be completed digitally on the Account page of the Dropbox Admin Console.
Dropbox permits 3rd party applications to be used, so it is important to note that they are not covered by the BAA. If third party apps are utilized with a Dropbox platform, covered groups need to review those apps separately prior to them being used.
Correct Configuration of Dropbox Accounts
HIPAA demands healthcare organizations implement security measures to maintain the confidentiality, integrity and availability of PHI. It is therefore key that a Dropbox account be configured properly. Even with a completed BAA, there is potential to violate HIPAA Rules when using the Dropbox system.
To avoid a possible HIPAA violation, sharing permissions should be set up to ensure files holding PHI can only be seen by authorized people. Sharing permissions can be set to stop PHI from being shared with any person outside of a particular team. Two-step verification should be implemented as an extra safeguard against unauthorized access.
It should not be possible for any data or files containing PHI to be completely deleted. Administrators can switch off permanent deletions via the Admin Console. That will mean files cannot be permanently deleted for the duration of the lifetime of the account.
It is also important for Dropbox accounts to be reviewed to make sure that PHI is not being seen by unauthorized people. Administrators should remove individuals when their role changes and they no longer require access to PHI for their roles or when they depart the organization. The list of linked devices should also be regularly monitored. Dropbox allows linked devices to have Dropbox content remotely deleted. That should happen when a user departs the organization of if a device is lost or stolen.
Dropbox tracks all user activity. Reports can be shown to display who has shared content, to obtain information on authentication and the activities of account administrators. Those reports should be regularly monitored.
Dropbox will supply a mapping of its internal practices and provides a third-party assurance report that describes the controls that the firm has put in place to assist keeping files safe. Those documents can be requested from the account management team.
In conclusion, is Dropbox HIPAA compliant? Dropbox is safe and measures have been established to prevent unauthorized access, but HIPAA compliance really depends on users of the system. If a BAA is completed and the account is properly configured, Dropbox can be used by healthcare groups to send and view PHI with authorized users without breaching HIPAA Regulations.