Is Dropbox HIPAA Compliant?

Over 300,000 businesses worldwide, with half of them being Fortune 500 companies, use Dropbox for collaboration, file sharing, file syncing, online backup, and more. Here is why businesses choose Dropbox over other similar services:

• Dropbox offers shared folders and instant file syncing. It enables multiple people in one organization to work on the same document at one time. So it eliminates the confusion of having multiple copies to compare. Dropbox keeps a log of changes made to a file to review which users created, edited, or deleted a file.
• Automatic back up of data and unlimited file versions. So you can always roll back a file to a specific save point. If a disaster happens and all your files get changed or worse, deleted, Dropbox support can roll a selected folder back to a particular point in time.
• Dropbox Business has enterprise-grade security protection. It has gone through a series of audits and received ISO 27001 and SOC 2 compliance. Their remote wipe feature ensures that the data is safe if a device is lost or stolen.

Other reasons for Dropbox popularity are simplicity for folder syncing, reliable engineering behind the product, and user-centered design.

But is Dropbox HIPAA Compliant? First, let’s discuss what HIPAA compliance means for cloud storage overall.

HIPAA Compliance for Cloud Storage

No official HIPAA certification recognized by US HHS exists for any cloud storage service or software. Thus, HIPAA compliance depends on how you use this technology.

Complying with HIPAA is a shared responsibility between the covered entity and the cloud storage service provider.

Covered entities must use comprehensive risk assessment tools to ensure vendor compliance with the HIPAA Privacy Rule, Security Rule, and the Breach Notification Rule. Therefore, when choosing a cloud storage provider, ask for third-party assurance reports evaluating vendors’ controls for HIPAA rules.

Before you store any ePHI on the cloud, you must ask the cloud storage provider to sign a BAA to make sure they follow HIPAA requirements.

Dropbox offers its business users to sign a BAA electronically in the account Admin Page. Meanwhile, remember that a BAA does not cover third-party apps you integrate with Dropbox. It is your responsibility to conduct a risk assessment and decide if these apps follow your legal and regulatory requirements.

A BAA alone is not a guarantee for HIPAA compliance. You must validate security controls that the vendor has put in place and develop internal policies and procedures covering the usage of cloud storage. Covered entities must utilize cloud services in compliance with HIPAA requirements.

Using Dropbox correctly will allow you to leverage the benefits of the service without running into legal predicaments.

So how to set up your account to ensure HIPAA compliance?

Steps for Setting up a HIPAA-compliant Dropbox Account.

First and foremost, right from the start, set up the technology correctly to avoid hefty fines. For example, in 2019, HHS’ Office of Civil Rights issued a $3 million fine for the University of Rochester Medical Center in New York for failing to encrypt mobile devices and, as a result, losing ePHI.

Take the following steps to ensure HIPAA compliance when using Dropbox to store ePHI:

1. Sign up for a paid Dropbox account to sign BAA. Dropbox does not sign BAA with free account users.
2. Sign an electronic BAA with Dropbox on the account Admin Page.
3. Setup account security features. You must configure sharing permissions before storing ePHI to determine who can view specific documents inside and outside your team. You can also choose an appropriate level of access (edit or view only) for shared folders and customize folder settings.
4. Enable two-step verification and make sure that you use consistent password policies to authenticate access to Dropbox for all users across your organization. It will add an extra layer of protection.
5. Disable permanent deletion to comply with HIPAA Data Retention Requirements. With default Dropbox settings, owners of shared folders and users who upload files can delete content permanently. Turn off this feature and make sure that only team admins can delete content.
6. Conduct risk assessment of third-party apps. Some third-party apps can significantly complement your account and offer powerful tools to strengthen the security. However, as mentioned earlier, they are not covered by Dropbox’s BAA and may not comply with HIPAA requirements.
7. Establish a procedure for a regular review of access and for monitoring your account for unusual activity. Ensure that only appropriate people have access to ePHI stored in your Dropbox account. Review users’ lists frequently and remove users who no longer require access. Additionally, conduct a regular audit of devices connected to your Dropbox account. Timely unlink or wipe unauthorized, lost, or stolen devices to keep your data secure.

Final Thoughts

Storing, sending, and sharing files using Dropbox makes it easier to provide efficient healthcare services to patients. It eliminates unnecessary costs linked to building your server infrastructure and streamlines communication.

It is important to remember that there is no governing body that reviews and certifies software to give them a “HIPAA certified” status. HIPAA is a set of rules and regulations that organizations must follow to ensure that they properly secure the patient health information. Thus, it is your responsibility as a covered entity to choose the right cloud service provider that meets HIPAA requirements.

As with any other application or software, take time to verify and validate their security practices. Check third-party audit reports, review their internal practices, and conduct a risk assessment before making your decision. Consider your existing policies and security management process, and if you need to adjust them to regulate the usage of Dropbox.

Once you start storing patient data on Dropbox, implement the right administrative controls, and configure your account’s security correctly. It can take an investment of time, continuous employee training and financial resources to achieve HIPAA compliance when using Dropbox. However, in the long run, you will have peace of mind and avoid penalties. As a result, you will be able to focus on providing excellent care to your patients.