Is Dropbox HIPAA Compliant?

Dropbox is one of the leading file sharing and storing services currently on the market. As of writing this, it has 700 million users and its revenue for 2020 was $1.914 billion. Many businesses and organizations worldwide use Dropbox, and that includes HIPAA-covered entities.

Medical organizations need to be careful when choosing a file sharing and storing service as they need to find a provider that will help them stay HIPAA compliant. If you want to keep your business away from legal and financial problems, you need a safe and trustworthy provider.

So is Dropbox HIPAA compliant? Let’s take a closer look.

Healthcare Vendors and BAA

Since healthcare providers are covered entities under HIPAA regulations, they are responsible to comply with all HIPAA rules and ensure the accessibility and protection of all health information. And since HIPAA regulates how PHI is used, accessed, and transferred, it’s relevant for file sharing and storing.

If a covered entity works with a third party that encounters PHI in any way, that third party is known as a business associate. All business associates need to sign a business associate agreement (BAA). This agreement ensures that both parties understand and follow all HIPAA rules and regulations.

So, the first condition Dropbox needs to meet to be HIPAA-compliant is to offer BAAs to any covered entity that requests one. And while users of the free version of Dropbox aren’t offered a BAA, paid users can ask for a BAA and get one without any issues.

Is Dropbox HIPAA Compliant?

Yes, Dropbox is HIPAA compliant. You’ll be happy to know that if you set up your account correctly and choose the paid version of Dropbox, the service will meet all HIPAA regulations. As we already stated, Dropbox is willing to sign a BAA with any HIPAA-covered entity that purchases the paid version of their service.

HIPAA violations shouldn’t be taken lightly. Medical centers can be fined up to millions of dollars for breaking HIPAA regulations, have their entire organization investigated, and even shut down. And not to mention that if you break these regulations, you will also lose your patients’ trust.

Companies that need to follow HIPAA standards can easily do that through Dropbox’s settings. You can monitor how PHI is used, limit who can gain access to it, and take advantage of other useful features that will help you avoid any legal problems and expensive fines.

But Still…

When asking the question Is Dropbox HIPAA compliant, we also need to take into consideration that it’s still a digital tool. And like many other tools, it collects metadata about its users. They gather this metadata based on user interactions with the system and over time, create a general map of their use.

Since the contents of this collected metadata get scraped automatically, you can’t be completely sure if Dropbox keeps any PHI information that you didn’t encrypt. And since metadata isn’t protected by a BAA, this is the only thing that might make us question if Dropbox truly is HIPAA-compliant.

How to Use Dropbox to Remain Compliant

The simplest answer to the question Is Dropbox HIPAA-compliant is yes, but only if you follow these steps:

  • Set up the account first. Before you transfer any PHI, you need to set up your account properly to ensure it’s HIPAA compliant. You can only do this if you’re a paid user.
  • Sign a BAA. You can do that on your Dropbox admin page.
  • Set up security features. Go to settings to enable two-factor authentication and set up who can access, receive, and send files.
  • Disable permanent deletion. Since patients have the right to a copy of their medical records whenever they request them, you need to keep their files.
  • Monitor Dropbox usage. Limiting access isn’t enough. Instruct an admin to check the account regularly and look for any signs of unauthorized parties who are accessing PHI.
  • Avoid third-party apps. There are certain third-party apps that could add better functionality and security to your Dropbox account. However, as they aren’t covered under the BAA, you’ll sign with Dropbox, so you can’t be sure they’ll comply with HIPAA regulations.

Configure Your Dropbox Accounts Carefully

It’s possible to violate HIPAA regulations when using Dropbox, so you need to be very careful when you’re configuring your account. To avoid any issues, you need to do things such as configuring sharing permissions, enabling two-step verification, and all the other steps we mentioned.

One of the most important things you need to remember is that you should never allow any unauthorized individuals to access PHI on your Dropbox account. So, make sure admins do regular checks and check reports Dropbox produces for all user activities.

HIPAA Compliance = Dropbox + ?

If you want your HIPAA compliance to be guaranteed, there is a secret ingredient you should use along with Dropbox. This tool and 123 Form Builder are the perfect match you’ve been looking for. We created HIPAA-compliant forms with Dropbox integration that allow you to create safe forms and send them right to your Dropbox account.

Best of all, not only are the forms you build with 123 Form Builder secure, but they’re also incredibly easy to make. In just a few clicks, you’ll be able to create your form, ask people who are using that form for files, and easily upload them to your Dropbox account. HIPAA compliance has never been easier.

Conclusion

To sum up, Dropbox is HIPPA compliant and many businesses use it across the globe. However, you should be careful about the way you capture the data. Luckily, you don’t have to look far. Combining Dropbox with our solution is the best choice you can make.