The question “Is DropBox HIPAA compliant?” is a common concern that behavioral health professionals face when it comes to using the popular cloud storage provider. This guide will help you understand if DropBox can be used in your practice while maintaining your HIPAA compliance.
But first, let’s look at the fundamental components of HIPAA compliance to give you a sense for how the regulation applies to DropBox.
Healthcare Vendors and HIPAA Compliance
HIPAA outlines national standards for maintaining the integrity, privacy, and security of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, financial information, Social Security numbers, health care information, insurance ID numbers, and full facial photos, among others.
The HIPAA rules regulate the use, access, and transfer of PHI, and that’s why the question “Is DropBox HIPAA compliant?” becomes so important for behavioral health professionals.
Behavioral health professionals are defined as covered entities under HIPAA regulation. The regulation also defines health care vendors with whom you do business as business associates. Business associates are organizations that encounter or handle PHI in ANY way as part of work they’ve been hired to perform by your organization.
The HIPAA Omnibus Rule mandates that a business associate agreement (BAA) must be signed before any PHI is shared between a covered entity and business associate.
BAAs are contracts that ensure that PHI is being properly handled by both parties involved, and must be executed BEFORE data is shared. BAAs are mandatory components of any effective HIPAA compliance program and must be executed with cloud storage providers like DropBox in order to use the service in a HIPAA compliant manner.
Can DropBox be HIPAA Compliant?
DropBox’s policy states:
“Dropbox will sign business associate agreements (BAAs) with Dropbox Business, Enterprise, and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).”
That means that DropBox is willing to sign BAAs with PAID users. Free users will not be able to request a BAA with DropBox and cannot use the service in a HIPAA compliant manner. If you’re using a free DropBox account, you’re putting your behavioral health practice at serious risk of a data breach and ensuing HIPAA fines.
A BAA alone is not grounds enough to make DropBox HIPAA compliant, though. Below are a few more steps your organization must take to ensure that data will be stored privately and securely when using DropBox.
- DropBox user sharing capabilities should be modified so that only authorized users can access and share PHI stored on the system. This is a primary component of the HIPAA User Authorization standard. Sharing must be limited so that only employees whose jobs require access to PHI can view these files.
- Files stored on DropBox should never be permanently deleted. You can ensure that users don’t have the ability to delete PHI in DropBox administrative controls. HIPAA has specific standards for the destruction of PHI, which must be implemented in your practice.
- As with any storage system, use and access to DropBox accounts should be monitored and tracked. Generating user reports is available via DropBox administrative controls.
Dealing with Metadata
HIPAA has a grey area when it comes to the collection of metadata. Metadata is compiled by digital and online companies in order to understand how users interact with their products. DropBox also gathers metadata about its users.
Metadata collection cannot be turned off, and the actual contents collected are usually uncertain. Because of this, some of your organization’s PHI may be swept up in metadata collection.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release any guidance on how the HIPAA rules apply to metadata collection, so it’s uncertain if DropBox exposes users’ PHI to HIPAA violations.
In the end, using DropBox in the manner listed above is the best way to keep your data as secure as you can. However, fully encrypted data storage is still your best bet when it comes to cloud storage providers to entirely eliminate your risk of inadvertently breaching HIPAA.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including pre-built business associate agreements and full vendor management capabilities.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.