Companies operating in the U.S. healthcare system have to ensure the privacy and security of all data they collect and process that contains protected health information (PHI). Specific guidelines are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect sensitive patient information from being disclosed without an individual’s consent. Failure to comply with HIPAA regulations can result in serious financial penalties and negative publicity.
The need to comply with HIPAA extends to all IT services and software solutions an organization uses to store and process PHI. Dropbox is a popular software platform that addresses some of the needs of healthcare companies.
But is Dropbox HIPAA compliant? The short answer is no, Dropbox is not fully HIPAA compliant out of the box, but with proper configuration and oversight, it is possible to use Dropbox in a HIPAA-compliant manner.
Keep reading to learn how to use Dropbox in a way that complies with HIPAA standards.
In this article:
Dropbox is a cloud-based storage and file-sharing platform that facilitates collaboration and distributing information throughout an organization. Healthcare organizations typically have many types of documents and files that contain PHI. The features available in Dropbox address their needs in multiple ways.
The software tools used by healthcare companies to process PHI need to comply with two main HIPAA rules:
Some of these safeguards are met by Dropbox without any modifications. For example, Dropbox automatically encrypts data at rest in its cloud storage, addressing a critical aspect of HIPAA compliance. The tool also offers monitoring capability to track user activity and identify who accessed sensitive data.
However, it's important to note that Dropbox alone cannot be considered HIPAA compliant, as compliance depends on how the software or platform is used. Healthcare organizations must configure their Dropbox accounts correctly to avoid HIPAA violations, such as setting sharing permissions to ensure files containing PHI can only be accessed by authorized individuals and using two-step verification for additional security.
Users have control over the type of authorization and authentication policies that govern access to their data. The default sharing permissions and other configuration parameters are not rigorous enough to meet HIPAA standards.
Dropbox is considered a data processor under HIPAA and requires signed Business Associate Agreements (BAAs). However, free users of Dropbox cannot be HIPAA compliant as they are unable to sign BAAs.
Dropbox acts as a data processor and provides an online storage service, but it cannot access the stored data unless directed by its users. This feature makes it easier for covered entities, such as healthcare professionals, to be HIPAA compliant when using Dropbox.
A BAA with Dropbox outlines the limitations on how Dropbox can use or disclose PHI and requires prompt notification of any breaches. Dropbox includes HIPAA-compliant features in several of its plans, and administrators can limit the sharing of PHI data and disable permanent data deletions.
Dropbox also offers guidance and tools for HIPAA compliance, including recommendations, a Getting Started guide, and key steps like monitoring usage and limiting sharing. Dropbox provides a mapping of their internal practices and recommendations for customers who are looking to meet the requirements of the HIPAA Security and Privacy Rules with Dropbox.
Dropbox's framework includes various protections such as permissioning, two-factor authentication (2FA), single sign-on (SSO), and the option to sign BAAs. Additionally, third-party reports assess Dropbox's HIPAA and HITECH controls, further ensuring compliance.
It's important to restrict access to certain information and prevent permanent deletion of files. Ongoing monitoring and regular audits are necessary to ensure proper usage, and access should be promptly removed for employees or contractors who are no longer associated with the organization.
Third-party apps connected to Dropbox Business accounts need to be evaluated independently and have a signed BAA. Ultimately, it's the user's responsibility to ensure compliance.
Dropbox users in the healthcare sector can use Dropbox and maintain HIPAA compliance by taking the following measures.
Set up a business associate agreement (BAA) with Dropbox. The prerequisites for signing a BAA include a paid subscription and at least three team members. A BAA with its IT providers, such as Dropbox, is a requirement for covered entities seeking HIPAA compliance.
Implement the following best practices to enable a company to use Dropbox in a HIPAA-regulated environment.
Implementing a data loss prevention (DLP) software solution can help you maintain HIPAA compliance when using Dropbox. A DLP platform relies on a company developing an effective data handling policy to control how information is used throughout the IT environment.
The software automatically enforces the data handling policy to ensure that no information is deliberately or accidentally misused.
The Reveal Platform by Next is an advanced DLP platform that protects PHI and an organization’s other sensitive data resources. The tool employs next-gen endpoint agents powered by machine learning to identify and categorize data at the point of risk.
When users violate the data handling policy, the activity is prohibited and an informative message is generated that defines the violation and promotes enhanced security-consciousness.
Schedule a demo to see Reveal in action and talk to our DLP experts to learn how Reveal supports HIPAA compliance.
A DLP tool protects an organization when transmitting PHI by ensuring that the data adheres to the data handling policy which should call for the information to be encrypted before transmission.
Users will be prohibited from sending unencrypted PHI via email and will be informed of their violation. They can then take the necessary steps and encrypt the data before transmitting it securely.
The safeguards of the HIPAA Security Rule which are addressed by Dropbox features include:
All unused IDs and devices should be removed from the Dropbox account as soon as possible. Obsolete users or devices present a serious security vulnerability that should be addressed during the periodic risk assessments required for HIPAA compliance.
Threat actors can leverage these accounts or devices to obtain unauthorized access to PHI which can result in expensive HIPAA violations.