Dropbox & HIPAA Compliance

Dropbox is a widely-used file-hosting service implemented by many groups in order to share files. Dropbox claims it now supports HIPAA and HITECH Act compliance but that does automatically mean Dropbox is HIPAA compliant. No software or file sharing service can be HIPAA compliant as this will depend on how the software or platform is being used bu individual. That said, healthcare groups can use Dropbox to share or store files that include protected health information without breaching HIPAA Rules.

The Health Insurance Portability and Accountability Act obligates covered groups to complete a business associate agreement (BAA) with an entity prior to any protected health information (PHI) being shared. Dropbox is classified as a business associate so a BAA is a legal requirement.

Dropbox will complete a business associate agreement with HIPAA-covered groups. To prevent a HIPAA violation, the BAA must be obtained prior to any file containing PHI is uploaded to a Dropbox account. A BAA can be signed electronically on the Account page of the Admin Console.

Dropbox permits third party apps to be implemented, although it is important to remember that they are not covered by the BAA. If third party applications are used with a Dropbox account, covered groups need to assess those apps separately prior to their use.

Dropbox Accounts Must be Set Up Properly

HIPAA requires healthcare groups to put in place security measures to preserve the confidentiality, integrity and availability of PHI. It is therefore crucial to set up a Dropbox account correctly. Even with a completed BAA, it is possible to breach HIPAA Rules when using Dropbox.

To prevent a HIPAA breach, sharing permissions should be established to ensure files containing PHI can only be accessed by authorized workers/individuals. Sharing permissions can be set to prevent PHI from being shared with any individual exterior to a team. Two-step verification should be put in place as an additional safeguard against unauthorized access.

It should not be possible for any files including PHI to be deleted forever. Administrators can switch off permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted during the lifetime of the account.

It is also crucial for Dropbox accounts to be reviewed to ensure that PHI is not being accessed by unauthorized people. Administrators should remove individuals when their role changes and they no longer require  access to PHI or when they leave the organization. The list of connected devices should also be regularly looked over. Dropbox allows connected devices to have Dropbox content remotely wiped. That should happen when a user leaves the organization of if a device is lost or stolen.

Dropbox tracks all user activity. Reports can be produced to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly looked over.

Dropbox will be a mapping of its internal practices available on request and offers a third-party assurance report that details the controls that the firm has established to help keep files secure. Those documents can be provided by the account management team.

Dropbox is secure and controls have been put in place to stop unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is completed and the account is correctly set up, Dropbox can be used by healthcare groups to share PHI with authorized individuals without breaching HIPAA Rules.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.