It’s one of the most widely-used cloud-based file storage and sharing services – but is Dropbox HIPAA-compliant? It’s an important question that all healthcare providers and other organizations that deal with protected health information (PHI) need to ask before using Dropbox at their practice.
The answer is surely simple. Is Dropbox HIPAA-compliant?
Well, yes and no
Out of the box, Dropbox isn’t HIPAA-compliant by design – no software is, in fact, as it all depends on how that software is used.
That said, it is possible to make use of Dropbox as a file storage and sharing system and avoid HIPAA violations – but it does require careful configuration.
HIPAA Requirements for File Hosting Services
The Health Insurance Portability and Accountability Act has strict requirements regarding the storage of PHI.
Under HIPAA’s Security Rule, HIPAA covered entities – i.e. healthcare providers, plans and clearinghouses – must implement adequate safeguards to preserve the confidentiality, integrity and availability of healthcare data.
In addition, in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA’s requirements to include a covered entity’s business associates.
A business associate is any service provider that has access to the PHI of a covered entity. Business associates are therefore subject to HIPAA rules.
The Department of Health & Human Services (HHS) mandates that a covered entity may use a cloud service provider (CSP) to store or process PHI, provided the entity “enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining or transmitting electronic protected health information (ePHI) on its behalf and otherwise complies with the HIPAA rules.”
So, Is Dropbox HIPAA-compliant?
Not until you have a business associate agreement in place with the company.
Dropbox will sign a BAA with HIPAA covered entities – but to avoid violations, this must be obtained before you upload any file containing PHI to a Dropbox account.
There are, however, other hurdles.
Obtaining a signed BAA is only the first step.
Another important aspect of HIPAA is the Privacy Rule. The Privacy Rule regulates who has access to PHI and the ways in which it can be used and disclosed.
In order to be HIPAA-compliant, organizations must implement policies and procedures that limit the use and disclosure of PHI and restrict access to employees with specific authorization.
The Security Rule, meanwhile, requires organizations to adopt user authentication safeguards when utilizing services for the electronic storage of PHI.
Put it all together and it becomes clear that covered entities must be extremely careful when using Dropbox.
First, sharing permissions need to be configured to ensure files containing PHI cannot be accessed by unauthorized individuals.
In addition, two-step authentication should be set up to add an extra layer of protection to your Dropbox accounts.
Furthermore, regular monitoring of those accounts is required to ensure unauthorized individuals are not accessing PHI.
If someone changes their job role, leaves your organization, or otherwise no longer requires access to PHI, their accounts must be deleted.
The same due diligence must also be applied to any devices that are linked to your Dropbox account.
If a linked device is lost, stolen, or, again, if a device’s user leaves your organization, that device must be unlinked and any Dropbox content wiped from it.
HIPAA also requires that patients are always able to receive a copy of their medical records upon request.
This means that you cannot delete their files.
Unfortunately, by default, the person who uploads a file or an owner of a shared folder can perform permanent deletions in Dropbox. As such, you must disable permanent deletions from the Admin Console, which limits the ability to permanently delete content to admins only.
You must also beware of third-party apps. Though third-party apps and integrations can add extra security or functionality to your Dropbox account, they are not part of Dropbox’s included services.
As such, you must research third-party apps and integrations and obtain separate BAAs before you use them.
Central Data Storage – A Safer, HIPAA-Compliant Alternative to Dropbox
Is Dropbox HIPAA-compliant? It can be – though it ultimately depends on how you use the service, configure your accounts and your ability to regularly monitor user access and activity, all of which of course present time-consuming administrative burdens.
Fortunately, there are alternative file storage and sharing solutions that are HIPAA-compliant by design.
Central Data Storage is one such solution.
All our products have been purposefully built to keep your PHI safe and secure in full compliance with HIPAA.
We have BAAs in place and are approved by third-party auditors as 100% compliant with HIPAA and HITECH, as well as the EU’s General Data Protection Regulation (GDPR) and State Laws.
What’s more, our 448-bit end-to-end encryption exceeds military-grade standards to ensure your data remains protected from cyberattacks and other outside threats, both in transit and at rest in our highly secure private cloud.
With Central Data Storage, you also enjoy unlimited storage capacity, dual authentication, Encrypted Sharing and ransomware recovery.
Our sole purpose is to ensure that your data is always safe, fully protected and recoverable and that you remain in full compliance with HIPAA and other regulatory requirements.
Want to learn more about the benefits of our fully supported, HIPAA-compliant encrypted file sharing and messaging solution? Just call 1-888-907-1227 or email firstname.lastname@example.org