The question “Is DropBox HIPAA compliant?” reflects a common concern that behavioral health professionals face when it comes to using the popular cloud storage provider. This guide will help you understand if DropBox can be used in your practice while maintaining your HIPAA compliance.
But first, let’s look at the fundamental components of HIPAA compliance to give you a sense for how the regulation applies to DropBox.
Healthcare Vendors and HIPAA Compliance
HIPAA outlines national standards for maintaining the integrity, privacy, and security of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, financial information, Social Security numbers, health care information, insurance ID numbers, and full facial photos, among others.
The HIPAA rules regulate the use, access, and transfer of PHI, and that’s why the question “Is DropBox HIPAA compliant?” becomes so important for behavioral health professionals.
Behavioral health professionals are defined as covered entities under HIPAA regulation. The regulation also defines health care vendors with whom you do business as business associates. Business associates are organizations that encounter or handle PHI in ANY way as part of work they’ve been hired to perform by your organization.
The HIPAA Omnibus Rule mandates that a business associate agreement (BAA) must be signed before any PHI is shared between a covered entity and business associate.
BAAs are contracts that ensure that PHI is being properly handled by both parties involved, and must be executed BEFORE data is shared. BAAs are mandatory components of any effective HIPAA compliance program and must be executed with cloud storage providers like DropBox in order to use the service in a HIPAA compliant manner.
Is DropBox HIPAA Compliant?
DropBox’s policy states:
“Dropbox will sign business associate agreements (BAAs) with Dropbox Business, Enterprise, and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).”
That means that DropBox is willing to sign BAAs with PAID users. Free users will not be able to request a BAA with DropBox and cannot use the service in a HIPAA compliant manner. If you’re using a free DropBox account, you’re putting your behavioral health practice at serious risk of a data breach and ensuing HIPAA fines.
A BAA alone is not grounds enough to make DropBox HIPAA compliant, though. Below are a few more steps your organization must take to ensure that data will be stored privately and securely when using DropBox.
- DropBox user sharing capabilities should be modified so that only authorized users can access and share PHI stored on the system. This is a primary component of the HIPAA User Authorization standard. Sharing must be limited so that only employees whose jobs require access to PHI can view these files.
- Files stored on DropBox should never be permanently deleted. You can ensure that users don’t have the ability to delete PHI in DropBox administrative controls. HIPAA has specific standards for the destruction of PHI, which must be implemented in your practice.
- As with any storage system, use and access to DropBox accounts should be monitored and tracked. Generating user reports is available via DropBox administrative controls.
Dealing with Metadata
HIPAA has a grey area when it comes to the collection of metadata. Metadata is compiled by digital and online companies in order to understand how users interact with their products. DropBox also gathers metadata about its users.
Metadata collection cannot be turned off, and the actual contents collected are usually uncertain. Because of this, some of your organization’s PHI may be swept up in metadata collection.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release any guidance on how the HIPAA rules apply to metadata collection, so it’s uncertain if DropBox exposes users’ PHI to HIPAA violations.
In the end, using DropBox in the manner listed above is the best way to keep your data as secure as you can. However, fully encrypted data storage is still your best bet when it comes to cloud storage providers to entirely eliminate your risk of inadvertently breaching HIPAA.