Is Dropbox HIPAA compliant?

Insurance companies and others in the healthcare space could see advantages by utilizing Dropbox, but before doing so they must ask whether Dropbox is compliant with the Health Insurance Portability and Accountability Act, more often referred to as HIPAA.

Is Dropbox HIPAA Compliant?

Dropbox was arguably one of the first mainstream cloud storage and online file sharing providers and the benefits associated with simple sharing and transferring of large files are clear to see, but is Dropbox HIPAA compliant or would it be against HIPAA Rules to use Dropbox to store or share Protected Health Information (PHI)?

As many versions and updates have been released over the years, Dropbox have had the time to look at implementing features that would allow HIPAA covered entities to use it to treat, store, or share PHI. Indeed, Dropbox now advertise that the tool can be made compatible with both HIPAA and HITECH Act requirements. While it cannot be stated with absolute confidence or certainty that a piece or software or an online tool is HIPAA compliant, as compliance depends to an overwhelming degree on how the user is interacting with the data, Dropbox does offer a sufficient range of options and settings in order for it to be used by healthcare companies in a completely HIPAA compliant manner.

An essential step in ensuring the HIPAA compliant use of a third party tool or service is the preparation and implementation of an appropriate Business Associate Agreement (BAA). The BAA must be signed and in place before any PHI can be manipulated with the tool and it must also specifically define the role of each party and their responsibilities under HIPAA. By providing the associated software and service, Dropbox would be considered a business associate and as such, any company wishing to use PHI with Dropbox would need to enter into a BAA with them.

Dropbox have shown themselves to be willing to enter into such agreements in the past. There is even a feature which allows for BAAs to be electronically agreed to and signed using Dropbox’s Admin console by users with sufficient authority.

Dropbox does not prohibit the use of third party applications in conjunction with its service. These would not be covered by the Dropbox BAA however, and covered entities would need to ensure any paperwork that would be required to use those applications in compliance with HIPAA are put in place. Covered entities are also advised to closely review and scrutinize the BAAs they enter into, including any BAA with Dropbox, to ensure it is appropriate and specific enough to account for their activities and their intended use of the platform.

Settings Must be Correctly Configured

For a tool such as Dropbox to be compliant with HIPAA, a number of features must present and correctly configured. HIPAA specifies that appropriate technical and procedural safeguards must be in place and adhered to in order to keep PHI confidential and secure. Some of the necessary measures include the ability to control access and prevent unauthorized parties from viewing data; the ability to prevent data loss due to system failures or deletions; and the ability to record and track user activity to create an audit trail.