Dropbox is a widely-used file hosting service, employed by many as a way of sharing files, but is it HIPAA compliant?
Dropbox states that it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is outright HIPAA compliant. No software or file sharing platform can be fully HIPAA compliant as it depends on how the software or platform is used by groups and individuals. even so, healthcare organizations can use Dropbox to share or save files that include protected health information without breaching HIPAA Rules.
The Health Insurance Portability and Accountability Act states that covered entities must sign a business associate agreement (BAA) with an entity before any protected health information (PHI) is handed over. Dropbox is designated as a business associate so a BAA is obligatory.
Dropbox will complete a business associate agreement with HIPAA-covered groups. I order to avoid a HIPAA violation, the BAA must be signed before any file that includes PHI is sent to a Dropbox account. A BAA can be signed electronically using the Account page of the Admin Console.
Dropbox permits third party apps to be employed, although it is important to note that they are not included in the BAA. If third party apps are employed with a Dropbox account, covered entities need to consider those apps separately before they are used.
HIPAA states that healthcare organizations must implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to set up a Dropbox account in the correct fashion. Even with a completed BAA, it is possible to break HIPAA Rules when using Dropbox.
To ensure that you don’t break HIPAA rules, sharing permissions should be set up to ensure files containing PHI can only be reviewed by authorized individuals. Sharing permissions can be set to stop PHI from being shared with any individual external to a team. Two-step verification should be configured as an extra safeguard against unauthorized access.
It should not be possible for any files that include PHI to be completely deleted. Administrators can turn off permanent deletions using the Administration Console. That will mean that files cannot be permanently deleted as long as the account is active.
It is also important for Dropbox accounts to be reviewed so that PHI is not being accessed by unauthorized people. Administrators should erase individuals when their role changes and they no longer need access to PHI or when they leave the group. All linked devices should also be regularly reviewed. Dropbox will allow linked devices to have Dropbox content remotely deleted. That should be completed when a user leaves the organization of if a device gores missing or is stolen.
Dropbox captures all user activity. Reports can be produced to show who has sent content and to obtain information on authentication and the activities of all account administrators. Those reports should be regularly looked over.
Dropbox will produce a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has used to help keep files safe. Those documents can be obtained iva members of the account management team.
Dropbox is complete secure and controls have been added to prevent unauthorized access, but ultimately HIPAA compliance depends on those using it. If a BAA is obtained and the account is correctly set up. Dropbox can be used by healthcare bodies to send PHI with authorized individuals without breaking HIPAA Rules.