The question “Is DropBox HIPAA compliant?” is a common question for healthcare providers and organizations that deal with protected health information (PHI).
Before we answer, let’s take a brief look at some of the foundational components of HIPAA compliance to deepen your understanding of how it applies to DropBox.
Working with Healthcare Vendors
Healthcare providers are considered covered entities (CEs) under HIPAA regulation. Covered entities are responsible for being compliant with the full extent of the HIPAA rules, including the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Omnibus Rule.
HIPAA is a series of national standards regarding the integrity and accessibility of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include name, address, telephone number, Social Security number, insurance ID number, financial information, healthcare information, and full facial photos, to name a few.
The HIPAA rules largely regulate the use, access, and transfer of PHI, and that’s where the question “Is DropBox HIPAA compliant?” comes into play.
In addition to covered entities, HIPAA regulation defines a class of organizations as business associates. Business associates are any entity who necessarily encounters PHI in ANY way over the course of the work they’ve been hired to perform. HIPAA mandates that before any PHI is shared between a covered entity and business associate, a business associate agreement (BAA) must be executed.
BAAs are contracts executed between two HIPAA-beholden organizations to ensure that PHI is being properly shared by both parties. BAAs limit liability in the event of a breach. If a breach is caused by a business associate, a BAA ensures that the covered entity will not be held liable, and vice versa.
Will DropBox Sign a BAA?
DropBox has said in the past that it is willing to execute BAAs with certain customers. Its policy states:
“Dropbox will sign business associate agreements (BAAs) with Dropbox Business, Enterprise, and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).”
Note that free users of the DropBox service CANNOT sign BAAs, and therefore cannot use DropBox in a HIPAA compliant manner, regardless of the privacy and security settings they implement. Remember that BAAs are a crucial part of working with ANY vendor in the healthcare space if PHI is to be exchanged, accessed, or stored.
So the first step toward using DropBox in a HIPAA compliant manner is executing a BAA with the company BEFORE you store or upload any data on the system.
Can You Make DropBox HIPAA Compliant?
Even after you’ve signed a BAA with DropBox, your organization can still experience a HIPAA violation if the cloud storage provider is not properly configured.
The following are a few more steps you can take to ensure that you’ve maxed out the HIPAA privacy and security settings of DropBox:
- User sharing should be significantly limited so that only authorized users can access PHI stored on the system. DropBox allows users to configure sharing permissions to ensure that there is no breach of the HIPAA Uses and Authorization standard.
- Files should never be permanently deleted, which can be configured in DropBox administrative controls.
- DropBox use should be monitored by an administrator for unauthorized access, even with proper sharing controls in place.
Questions Remain…
However, even with all of these processes in place, there are still doubts about whether organizations can use DropBox to store and transfer PHI in a HIPAA compliant manner.
Like many digital tools on the market today, DropBox gathers metadata about its users. This metadata is gathered based on how users interact with the system and creates a general map of their use over time.
Because the contents of this metadata is automatically culled, it’s uncertain whether DropBox retains any unencrypted information about your organization’s PHI. Metadata is wide reaching and is usually not protected by a BAA, which makes this a significant grey area when asking whether DropBox is HIPAA compliant.
Until The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) releases new guidance on how HIPAA applies to metadata collection, it remains uncertain whether or not organizations like DropBox are exposing their users’ PHI to risk.
