Is Dropbox HIPAA Compliant?
Being “HIPAA-compliant” means that a company abides by the provisions of the Health Insurance Portability and Accountability Act of 1996. We’ll start by explaining the key provisions of HIPAA and what they have to do with Dropbox.
HIPAA Key Terms
HIPAA stands for Health Insurance Portability and Accountability Act. This is United States legislation that regulates the privacy and security of medical information. Signed by President Bill Clinton in 1996, the act laid down the requirements for how healthcare organizations should protect personally identifiable information.
Under HIPAA, personally identifiable information that healthcare organizations need to safeguard is known as Protected Health Information (PHI). PHI includes health conditions, payments for healthcare and provision of medical service. Healthcare organizations that handle PHI are referred to as covered entities. These include doctors, clinics, HMOs and hospitals.
A business associate is an entity who receives, shares and transmits protected health information (PHI) on behalf of the covered entity. A company using Dropbox is an example of a business associate.
Before a HIPAA-covered entity can share PHI with the business associate, it must send the associate a contractual agreement called a business associate agreement (BAA). Signing the BAA obliges the business associate to safeguard PHI in accordance with HIPAA guidelines.
Does Dropbox Comply With HIPAA?
For a business associate to be HIPAA compliant, it has to comply strictly with HIPAA regulations when handling files containing PHI. Dropbox claims to support HIPAA compliance, but that does not mean it is fully HIPAA compliant.
Dropbox provides healthcare providers with the tools and features to comply with HIPAA regulations.
It’s impossible for a software program or file sharing platform to be completely HIPAA compliant because it can be used in several ways that do not align with HIPAA guidelines. This is why business associates are required to sign a BAA before they share any file with a covered entity.
Ultimately, the responsibility lies with covered entities to use Dropbox in a way that avoids violating HIPAA guidelines. That said, Dropbox provides some tips for meeting HIPAA requirements. You can check out Dropbox’s getting started with HIPAA guide to see how to make your Dropbox business account secure enough for storing PHI.
Which Plans Offer HIPAA Compliance?
The only Dropbox plans that support HIPAA compliance are the Business plans, which include Dropbox Standard, Advanced and Enterprise plans.
Not surprisingly, only the Dropbox Business plans offer built-in HIPAA compliance. These include Dropbox Standard, Advanced and Enterprise plans. Personal plans like Dropbox Basic, Plus, Family and Professional don’t support HIPAA compliance.
How to Sign a Business Associate Agreement With Dropbox
The business associate agreement is only accessible to a Dropbox business team admin and can be signed electronically. To sign the agreement, visit the account page in the admin console. Click on “settings,” “team profile,” and under “advanced,” click “set up a baa.” Once you’ve signed the BAA, a copy downloads to your Dropbox account.
It’s important to note that signing a BAA through the admin console is only possible for US-based customers.
What You Should Do to Ensure HIPAA Compliance
Dropbox offers a 30-day trial for any of the business plans.
To ensure HIPAA compliance with Dropbox, it’s important to configure sharing permissions to limit PHI access to only authorized users. Additionally, two-step verification can be used as an extra layer of protection against unauthorized access.
Files containing PHI are not supposed to be permanently deleted, given their sensitivity. Disabling permanent deletions for PHI can be done via the admin console. When you turn off this feature, the ability to permanently delete files is limited to just the admins.
Team admins have access to reports that detail user activity, such as who has shared a file, authentication and the activities of administrators. It’s important to always monitor these reports to spot any unusual activity and take timely action.
It’s also important to note that the host of third party apps you might have to link to your Dropbox account are not covered under Dropbox’s terms of use, including the BAA you’re required to sign. Therefore, you should evaluate these apps to ensure that using them aligns with your HIPAA obligations.
Originally posted on March 15, 2023 @ 2:58 pm