Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant?
There is no software or file sharing systems that can be classified completely HIPAA compliant as it depends on how the software or platform is used and the individuals using it. Despite this, healthcare groups can use Dropbox to share or store files that include protected health information without breaching HIPAA regulations.
The Health Insurance Portability and Accountability Act demands covered bodies to complete a business associate agreement (BAA) with a body before any protected health information (PHI) is accessed. Dropbox is defined as a business associate so a BAA is necessary.
DropBox’s Policy States:
“Dropbox will sign business associate agreements (BAAs) with Dropbox Business, Enterprise, and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).”
That means that DropBox is willing to sign BAAs with PAID users. Free users will not be able to request a BAA with DropBox and cannot use the service in a HIPAA compliant manner. If you’re using a free DropBox account, you’re putting your behavioral health practice at serious risk of a data breach and ensuing HIPAA fines.
A BAA alone is not grounds enough to make DropBox HIPAA compliant, though.
Correct Configuration of Dropbox Accounts:
HIPAA demands healthcare organizations implement security measures to maintain the confidentiality, integrity and availability of PHI. It is therefore key that a Dropbox account be configured properly. Even with a completed BAA, there is potential to violate HIPAA Rules when using the Dropbox system.
To avoid a possible HIPAA violation, sharing permissions should be set up to ensure files holding PHI can only be seen by authorized people. Sharing permissions can be set to stop PHI from being shared with any person outside of a particular team. Two-step verification should be implemented as an extra safeguard against unauthorized access.
It should not be possible for any data or files containing PHI to be completely deleted. Administrators can switch off permanent deletions via the Admin Console. That will mean files cannot be permanently deleted for the duration of the lifetime of the account.
It is also important for Dropbox accounts to be reviewed to make sure that PHI is not being seen by unauthorized people. Administrators should remove individuals when their role changes and they no longer require access to PHI for their roles or when they depart the organization. The list of linked devices should also be regularly monitored. Dropbox allows linked devices to have Dropbox content remotely deleted. That should happen when a user departs the organization of if a device is lost or stolen.
Dropbox tracks all user activity. Reports can be shown to display who has shared content, to obtain information on authentication and the activities of account administrators. Those reports should be regularly monitored.
Dropbox will supply a mapping of its internal practices and provides a third-party assurance report that describes the controls that the firm has put in place to assist keeping files safe. Those documents can be requested from the account management team.
In conclusion, is Dropbox HIPAA compliant? Dropbox is safe and measures have been established to prevent unauthorized access, but HIPAA compliance really depends on users of the system. If a BAA is completed and the account is properly configured, Dropbox can be used by healthcare groups to send and view PHI with authorized users without breaching HIPAA Regulations.