Is Dropbox HIPAA compliant? There’s no straight answer to this question because there are a number of factors to consider. Dropbox is doubtlessly a great service for storing sensitive health information. However, there are some gray areas.
We’ll go over these gray areas in this article to help you understand how Dropbox works with healthcare organizations to protect sensitive patient data in accordance with HIPAA guidelines. However, to understand the role Dropbox plays in supporting HIPAA compliance, we first need to understand a few key terms.
Key Takeaways: Is Dropbox HIPAA Compliant
- Dropbox offers health organizations a secure way to store sensitive files. It’s not HIPAA compliant in itself, but relies on the user to use it in HIPAA-compliant ways.
- Health organizations that use Dropbox to upload medical information bear the greater responsibility of protecting this information by issuing Dropbox a contract called a business associate agreement and correctly configuring their accounts.
- Health organizations can take steps to correctly configure their accounts by limiting health information access to only authorized users, monitoring user activity and evaluating third-party apps.
To learn more about Dropbox’s performance as a cloud storage service, read our Dropbox review. Our Dropbox pricing guide will also take you through the different plans and discounts Dropbox has to offer.
Dropbox can be HIPAA compliant as long as healthcare organizations stick to HIPAA guidelines when using it.
No, the free version of Dropbox is not HIPAA compliant because it does not have the required features for protecting sensitive health files in accordance with HIPAA rules.
Yes, Google Drive can be used to store health information in HIPAA-compliant ways.
Is Dropbox HIPAA Compliant?
Being “HIPAA-compliant” means that a company abides by the provisions of the Health Insurance Portability and Accountability Act of 1996. We’ll start by explaining the key provisions of HIPAA and what they have to do with Dropbox.
HIPAA Key Terms
HIPAA stands for Health Insurance Portability and Accountability Act. This is United States legislation that regulates the privacy and security of medical information. Signed by President Bill Clinton in 1996, the act laid down the requirements for how healthcare organizations should protect personally identifiable information.
Under HIPAA, personally identifiable information that healthcare organizations need to safeguard is known as Protected Health Information (PHI). PHI includes health conditions, payments for healthcare and provision of medical service. Healthcare organizations that handle PHI are referred to as covered entities. These include doctors, clinics, HMOs and hospitals.
A business associate is an entity who receives, shares and transmits protected health information (PHI) on behalf of the covered entity. A company using Dropbox is an example of a business associate.
Before a HIPAA-covered entity can share PHI with the business associate, it must send the associate a contractual agreement called a business associate agreement (BAA). Signing the BAA obliges the business associate to safeguard PHI in accordance with HIPAA guidelines.
Does Dropbox Comply With HIPAA?
For a business associate to be HIPAA compliant, it has to comply strictly with HIPAA regulations when handling files containing PHI. Dropbox claims to support HIPAA compliance, but that does not mean it is fully HIPAA compliant.
It’s impossible for a software program or file sharing platform to be completely HIPAA compliant because it can be used in several ways that do not align with HIPAA guidelines. This is why business associates are required to sign a BAA before they share any file with a covered entity.
Ultimately, the responsibility lies with covered entities to use Dropbox in a way that avoids violating HIPAA guidelines. That said, Dropbox provides some tips for meeting HIPAA requirements. You can check out Dropbox’s getting started with HIPAA guide to see how to make your Dropbox business account secure enough for storing PHI.
Which Plans Offer HIPAA Compliance?
Not surprisingly, only the Dropbox Business plans offer built-in HIPAA compliance. These include Dropbox Standard, Advanced and Enterprise plans. Personal plans like Dropbox Basic, Plus, Family and Professional don’t support HIPAA compliance.
How to Sign a Business Associate Agreement With Dropbox
The business associate agreement is only accessible to a Dropbox business team admin and can be signed electronically. To sign the agreement, visit the account page in the admin console. Click on “settings,” “team profile,” and under “advanced,” click “set up a baa.” Once you’ve signed the BAA, a copy downloads to your Dropbox account.
It’s important to note that signing a BAA through the admin console is only possible for US-based customers.
What You Should Do to Ensure HIPAA Compliance
To ensure HIPAA compliance with Dropbox, it’s important to configure sharing permissions to limit PHI access to only authorized users. Additionally, two-step verification can be used as an extra layer of protection against unauthorized access.
Files containing PHI are not supposed to be permanently deleted, given their sensitivity. Disabling permanent deletions for PHI can be done via the admin console. When you turn off this feature, the ability to permanently delete files is limited to just the admins.
Team admins have access to reports that detail user activity, such as who has shared a file, authentication and the activities of administrators. It’s important to always monitor these reports to spot any unusual activity and take timely action.
Should You Use Dropbox for HIPAA Protected Storage?
Encryption is a top priority for any cloud storage provider for protecting data covered by HIPAA. Until recently, Dropbox did not implement zero-knowledge encryption, the gold standard of encryption that ensures that only the user — not even the cloud storage service — has access to the keys needed to decrypt their data.
Without zero-knowledge encryption, Dropbox can still access your files, despite a signed BAA, since it can decrypt them. Dropbox’s recent implementation of zero-knowledge encryption is the result of acquiring key assets from cloud storage encryption service Boxcryptor. Unfortunately, Dropbox has yet to fully integrate Boxcryptor’s zero-knowledge encryption properties.
If you’d like some of the best alternatives to Dropbox that offer zero-knowledge encryption, it’s worth reading our best HIPAA compliant cloud storage guide.
The answer to the question of whether Dropbox is HIPAA compliant depends majorly on how healthcare organizations use Dropbox to store PHI files. As long as these organizations issue a BAA to Dropbox and correctly configure their accounts, they can be safe when sharing PHI with authorized users.
Would you use Dropbox to share PHI? Have you already done it? What was your experience? Let us know in the comments section below, and as always, thanks for reading.