Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA?
Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However, healthcare groups can use Dropbox to share or store files containing protected health data without breaching HIPAA Rules.
The Health Insurance Portability and Accountability Act requires covered organizations to complete a business associate agreement (BAA) with an organization before any protected health data (PHI) is shared. Dropbox is classified as a business associate so a BAA is necessary.
Dropbox will complete a business associate agreement with HIPAA-covered organizations. To prevent a HIPAA violation, the BAA must be completed before any file including PHI is shared to a Dropbox account. A BAA can be completed electronically via the Account page of the Admin Console on the Dropbox platform.
Dropbox permits third party applicatons to be used, although it is important to note that they are not covered by the previously signed BAA. If third party applications are used with a Dropbox account, covered organizations need to assess those apps separately prior to using them.
HIPAA requires healthcare organizations to implement security measures to maintain the confidentiality, integrity and availability of PHI. It is therefore important to set up and run a Dropbox account correctly. Even with a signed BAA, it is possible to breach HIPAA Rules when using Dropbox on an everyday basis.
To avoid a HIPAA violation, sharing permissions should be set so that files containing PHI can only be accessed by authorized individuals. Sharing permissions can be set to stop PHI from being sent to any individual outside of a specified team. Two-step verification should be put in place as an additional safeguard against unauthorized access.
It should not be possible for any individual files holding PHI to be permanently deleted. Administrators can switch off permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the lifetime duration of the account.
It is also important for Dropbox accounts to be guarded to ensure that PHI is not being accessed by unauthorized individuals. Administrators should delete individuals when their position changes and they no longer need access to PHI or when they leave the group. The list of linked devices should also be regularly audited. Dropbox allows linked devices to have Dropbox content remotely deleted. That should happen when a user leaves the group or if a device is lost or stolen.
Dropbox records a log of all user activity. Reports can be downloaded to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly looked over.
Dropbox will provide a mapping of its internal practices when asked and offers a third-party assurance report that details the controls that the firm has adopted to help keep files secure. Those documents can be recieved from the account management team.
Dropbox is a secure service and controls have been developed to prevent unauthorized access, but ultimately HIPAA compliance depends on the people using it. If a BAA is obtained and the account is properly set up, Dropbox can be used by healthcare groups to share PHI with authorized people without breaching HIPAA Rules.