Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both
HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is used as well as the software’s design. Under certain circumstances, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules.
The Health Insurance Portability and Accountability Act requires covered entities (CEs) to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required. Dropbox has previously shown its willingness to enter a business associate agreement with HIPAA CEs.
The BAA must be obtained before any file containing PHI is uploaded to a Dropbox account to prevent a violation from occurring. A BAA can be signed electronically via the Account page of the Admin Console.
Dropbox allows third party apps to be used in conjunction with its services. However, these apps are not covered by the BAA. If third party apps are used with a Dropbox account, covered entities need to perform a separate risk assessment on those apps separately prior to their use.
HIPAA’s Rules and Dropbox
HIPAA requires healthcare organizations to implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to configure a Dropbox account correctly. Even with a signed BAA, it is possible to violate HIPAA Rules when using Dropbox if the appropriate measures are not taken when setting up the account.
To comply with the HIPAA Security Rule, sharing permissions should be configured to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be set to prevent PHI from being shared with any individual outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.
Furthermore, to maintain accountability within the healthcare profession, it should be made impossible for PHI to be permanently deleted. This can be done my administrators via the Admin Console, where there is an option to disable permanent deletions. Any files uploaded onto the account will then stay on the account for as long as it is active.
It is also essential for Dropbox accounts to be monitored to ensure that PHI is not being accessed by unauthorized individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organization. Administrators are also recommended to review the list of linked devices on a regular basis to prevent unauthorized access. Dropbox allows linked devices to have Dropbox content remotely wiped. That should occur when a user leaves the organization of if a device is lost or stolen.
Dropbox records all user activity. Reports can be generated to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly reviewed to ensure that PHI is being properly handled in accordance with HIPAA.
Dropbox will provide a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has implemented to help keep files secure. Those documents can be obtained from the account management team.
In summary, Dropbox is secure and controls have been implemented to prevent unauthorized access, but ultimately HIPAA compliance depends on the user’s activity. If a BAA is obtained and the account is correctly configured, Dropbox has the right measures in place to be used by healthcare organizations to share PHI with authorized individuals in total compliance with HIPAA Rules.