Is Dropbox HIPAA Compliant?

Dropbox is known for being a convenient file sharing and storage tool. For over a decade, Dropbox has allowed teams to collaborate cross- functionally by providing a single source of truth. With files being managed and synced to a central location, teams can work together without issues of version control. Even in a post- Google Drive and OneDrive era, Dropbox remains important, as not everyone uses the same productivity suites.

How secure is Dropbox?

Dropbox is a secure product, and the company has received a number of industry specific security certifications, including:

• ISO 27001
• ISO 27017
• ISO 27018
• ISO 22301
• ISO 27701
• SOC 3
• SOC 2
• SOC 1/SSAE 18/ISAE 3402
• CSA STAR
• Germany BSI C5 Attestation Report
• NIST SP 800-171 R2 Attestation Report

Dropbox is also capable of supporting an organization’s compliance efforts with a variety of compliance regimes including:

• HIPAA/HITECH
• EU-U.S. Privacy Shield/Swiss-U.S. Privacy Shield
• GDPR
• FERPA
• COPPA
• FDA 21 CFR Part 11
• PCI DSS

Keep in mind that compliance is only possible on Dropbox for business and not for Dropbox personal accounts. Business accounts allow for more granular permissions and access settings that will be important in your compliance efforts.

How should healthcare organizations use Dropbox?

While Dropbox can be used by healthcare organizations, it’s not HIPAA compliant out of the box. As is the case with most applications, it has to be configured properly before it can be used by a HIPAA- covered entity. Below we list some of the most important steps you should take:

1. Sign and execute a business associate agreement with Dropbox. Before working with any entity that will be managing and/or storing PHI on your behalf (known under HIPAA as a business associate), you must first sign a business associate agreement or BAA. The BAA is an important legal document that spells out the obligations of the business associate and the HIPAA covered entity as it pertains to the services being provided and the security of PHI. Dropbox allows you to sign a BAA through your Dropbox Business account through the admin console.
2. Configure sharing permissions. Ensure that folders, links, and documents cannot be shared with people outside of your team. Additionally, ensure that team members understand the importance of restricted permissions settings for every file or folder stored within Dropbox.
3. Strengthen authentication. Utilize authentication controls like two-step verification and single sign on for identity management, to ensure accounts are unlikely to be hijacked by unauthorized parties.
4. Disable permanent deletions. HIPAA has retention requirements for PHI, but by default file owners can delete the files they upload. By disabling the “Permanent Delete” feature you can ensure that only admins can delete content.
5. Follow other best practices outlined by Dropbox. Dropbox has a getting started guide for HIPAA covered entities. This guide includes the advice we have above as well as additional best practices like implementing an access review process to manage or monitor accounts and devices accessing your Dropbox instance.

In addition to the items above, Dropbox also indicates that additional security controls, such as those provided by third-party providers in Dropbox’s app ecosystem might be necessary. In our Guide to HIPAA Compliance for SaaS Applications Checklist, we outline the types of controls that are generally relevant for complying with the HIPAA security rule.

Being HIPAA compliant means asking the right questions.

Are you looking for other HIPAA-compliant SaaS applications to enable digital transformation within your healthcare organization? You can view other posts in this series for services like Google Drive and Atlassian. You can also learn more about the HIPAA Security Rule requirements from our Ultimate HIPAA Security and Compliance FAQ, which can be read for free online.