Dropbox and HIPAA Compliance

by | Jul 17, 2017

Dropbox is a widely-used file hosting service operated by many organizations to share files, but what about protected health information? Is the service HIPAA compliant?

Dropbox beleives it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is adhering with HIPAA. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used by the group in question. That said, healthcare organizations can use Dropbox to share or store files including protected health data without breaching HIPAA Rules.

The Health Insurance Portability and Accountability Act requires covered bodies to enter into a business associate agreement (BAA) with an organization before any protected health information (PHI) is shared. Dropbox is classified as a business associate so a BAA is necessary.

Dropbox will sign a business associate agreement with HIPAA-covered bodies. To avoid a HIPAA breach, the BAA must be obtained before any file containing PHI is uploaded to a Dropbox account. A BAA can be submitted electronically via the Account page of the Admin Console.

Dropbox allows third party apps to be used, although it is important to remember that they are not covered by the BAA. If third party apps are used with a Dropbox account, covered bodies need to assess those apps separately prior to their being used.

HIPAA requires healthcare organizations to put in place safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore vital to configure a Dropbox account properly. Even with a signed BAA, it is possible to breach HIPAA Rules when using Dropbox.

To avoid a HIPAA violation, sharing permissions should be configured properly to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be put in place to stop PHI from being shared with any person outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.

It should not be possible for any files holding PHI to be permanently deleted. Administrators can disable permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the duration of the lifetime of the account.

It is also important for Dropbox accounts to be constantly maintained to ensure that PHI is not being accessed by unauthorized people. Administrators should delete users when their role changes and they no longer need access to PHI or when they leave the organization. The list of linked devices should also be regularly looked over. Dropbox allows the contents of linked devices to have Dropbox content remotely deleted. That should happen when a user leaves the organization or if a device is lost or stolen.

Dropbox maintain a record of all user activity. Reports can be generated to show who has shared content and to gather  information on authentication and the activities of account administrators. Those reports should be regularly looked over.

Dropbox will supply a mapping of its internal practices on request and offers a third-party assurance report that details the restrictions that the firm has implemented to help keep files secure. Those documents can be recieved from the account management team.

So, is Dropbox a HIPAA compliant service? Dropbox is safe and controls have been implemented to deny unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is agreed and the account is correctly set up, Dropbox can be used by healthcare organizations to share PHI with authorized people without breaching HIPAA Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy