Dropbox is a widely-used file hosting service operated by many organizations to share files, but what about protected health information? Is the service HIPAA compliant?
Dropbox beleives it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is adhering with HIPAA. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used by the group in question. That said, healthcare organizations can use Dropbox to share or store files including protected health data without breaching HIPAA Rules.
The Health Insurance Portability and Accountability Act requires covered bodies to enter into a business associate agreement (BAA) with an organization before any protected health information (PHI) is shared. Dropbox is classified as a business associate so a BAA is necessary.
Dropbox will sign a business associate agreement with HIPAA-covered bodies. To avoid a HIPAA breach, the BAA must be obtained before any file containing PHI is uploaded to a Dropbox account. A BAA can be submitted electronically via the Account page of the Admin Console.
Dropbox allows third party apps to be used, although it is important to remember that they are not covered by the BAA. If third party apps are used with a Dropbox account, covered bodies need to assess those apps separately prior to their being used.
HIPAA requires healthcare organizations to put in place safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore vital to configure a Dropbox account properly. Even with a signed BAA, it is possible to breach HIPAA Rules when using Dropbox.
To avoid a HIPAA violation, sharing permissions should be configured properly to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be put in place to stop PHI from being shared with any person outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.
It should not be possible for any files holding PHI to be permanently deleted. Administrators can disable permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the duration of the lifetime of the account.
It is also important for Dropbox accounts to be constantly maintained to ensure that PHI is not being accessed by unauthorized people. Administrators should delete users when their role changes and they no longer need access to PHI or when they leave the organization. The list of linked devices should also be regularly looked over. Dropbox allows the contents of linked devices to have Dropbox content remotely deleted. That should happen when a user leaves the organization or if a device is lost or stolen.
Dropbox maintain a record of all user activity. Reports can be generated to show who has shared content and to gather information on authentication and the activities of account administrators. Those reports should be regularly looked over.
Dropbox will supply a mapping of its internal practices on request and offers a third-party assurance report that details the restrictions that the firm has implemented to help keep files secure. Those documents can be recieved from the account management team.
So, is Dropbox a HIPAA compliant service? Dropbox is safe and controls have been implemented to deny unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is agreed and the account is correctly set up, Dropbox can be used by healthcare organizations to share PHI with authorized people without breaching HIPAA Rules.