Lexyom | Digital Law Firm | International Startup Law Firm

Dropbox is a file hosting service that provides cloud storage, online backup, file sharing, and many more features, used by hundreds of thousands of businesses from which the fortune 500.

With dropbox, people in the same organization can use the same file simultaneously without having several copies. Therefore, it helps limit confusion and organize a company’s files better.

Many health care providers, such as clinics, doctors, and hospitals, use dropbox. This use raises concerns about dropbox’s compliance with the Health Insurance Portability and Accountability Act (HIPAA).

What is HIPAA?

HIPAA is a law introduced to ensure the protection of health information shared by individuals with covered entities. This HIPAA law aims to safeguard Protected Health Information (PHI) with the vast proliferation of technology.

Is Dropbox HIPAA compliant?

Knowing that HIPAA is a law and not a rule, there is not a certificate that an entity could gain to show its compliance with it.

Therefore, it is the company’s responsibility to ensure it uses Dropbox in a way that is compliant with HIPAA.

What steps should a company take into account to assure as much as possible its compliance with HIPAA?

Disable permanent deletions: as default, Dropbox’s settings enable users to delete files uploaded permanently. This feature is not aligned with the HIPAA data retention requirement. Therefore, make sure you disable this option when using Dropbox;
Sign a Business Associate Agreement (BAA): the company must ensure that the cloud storage provider is compliant with HIPAA. Therefore, it should make sure to sign a BAA with it before uploading any electronic PHI.
This way, you can make sure that it is compliant with HIPAA and can start uploading files on the cloud;
Conduct a third-party risk assessment: you may use third party services to compliment your account. However, you should ensure that the third party is compliant with HIPAA by conducting a high-risk assessment.
Monitor access and activity of the account: make sure that the people who have access to the account are appropriate. Always run a check who has access to the account and if such access is required. Grant and remove people’s access accordingly.

Conclusion

With no certificates being granted to ensure a covered entities’ compliance with HIPAA when using Dropbox, maintaining compliance and taking adequate measures to ensure such compliance can be time consuming and hectic. However, this task should not be taken seriously because, in the case of non-compliance, some hefty penalties may be imposed.