What You Need to Know About Dropbox as a Data Backup Service

Learn about what Dropbox is, if it’s HIPAA-compliant, and the risks associated with storing PHI on the cloud.

Dropbox, an online file hosting service, is one of the most popular apps out today. With over 200 million users and growing, Dropbox offers a secure place to store your files so you can share them with others. However, you might be wondering if this “secure” app is HIPAA compliant for data storage. Here are some of the benefits and downfalls of using Dropbox in regard to privacy protection.

Does Dropbox’s data storage and file transfer comply with HIPAA?

It’s one of the most widely-used cloud-based file storage and sharing services – but is Dropbox HIPAA-compliant? It’s an important question that all healthcare providers and other organizations that deal with protected health information (PHI) need to ask before using Dropbox at their practice.

So, the question is simple. Is Dropbox HIPAA-compliant?

Well, yes and no

Out of the box, Dropbox isn’t HIPAA-compliant by design – no software is, in fact, as it all depends on how that software is used.

That said, it is possible to make use of Dropbox as a file storage and sharing system and avoid HIPAA violations – but it does require careful configuration.

HIPAA Requirements for Data Backup and File Hosting Services

The Health Insurance Portability and Accountability Act has strict requirements regarding the storage of PHI.

Under HIPAA’s Security Rule, HIPAA covered entities – i.e. healthcare providers, plans and clearinghouses – must implement adequate safeguards to preserve the confidentiality, integrity, and availability of healthcare data.

In addition, in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA’s requirements to include a covered entity’s business associates.

A business associate is any service provider that has access to the PHI of a covered entity. Business associates are therefore subject to HIPAA rules.

The Department of Health & Human Services (HHS) mandates that a covered entity may use a cloud service provider (CSP) to store or process PHI, provided the entity “enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf and otherwise complies with the HIPAA rules.”

Read HIPAA Compliant Secure File Sharing: How To Keep Your Business Safe

So, Is Dropbox HIPAA Compliant?

It can be but must be used with caution.

Dropbox is not HIPAA compliant until you have a business associate agreement in place with the company.

Dropbox will sign a BAA with HIPAA covered entities – but to avoid violations, this must be obtained before you upload any file containing PHI to a Dropbox account.

There are, however, other hurdles.

Obtaining a signed BAA is only the first step.

Another important aspect of HIPAA is the Privacy Rule. The Privacy Rule regulates who has access to PHI and the ways in which it can be used and disclosed.

You must manage employees’ permissions and authorizations

To be HIPAA compliant, organizations must implement policies and procedures that limit the use and disclosure of PHI and restrict access to employees with specific authorization.

The Security Rule, meanwhile, requires organizations to adopt user authentication safeguards when utilizing services for the electronic storage of PHI.

Put it all together and it becomes clear that covered entities must be extremely careful when using Dropbox and HIPAA.

First, sharing permissions need to be configured to ensure files containing PHI cannot be accessed by unauthorized individuals.

In addition, two-step authentication should be set up to add an extra layer of protection to your Dropbox accounts.

You must monitor Dropbox to ensure that you stay HIPAA compliant

Furthermore, regular monitoring of those accounts is required to ensure unauthorized individuals are not accessing PHI.

If someone changes their job role, leaves your organization, or otherwise no longer requires access to PHI, their accounts must be deleted.

The same due diligence must also be applied to any devices that are linked to your Dropbox account.

If a linked device is lost, stolen, or, again, if a device’s user leaves your organization, that device must be unlinked, and any Dropbox content wiped from it.

HIPAA also requires that patients are always able to receive a copy of their medical records upon request.

This means that you cannot delete their files.

Unfortunately, by default, the person who uploads a file or an owner of a shared folder can perform permanent deletions in Dropbox. As such, you must disable permanent deletions from the Admin Console, which limits the ability to permanently delete content to admins only.

You must also beware of third-party apps. Though third-party apps and integrations can add extra security or functionality to your Dropbox account, they are not part of Dropbox’s included services.

Therefore, they are not covered by your Dropbox terms of use, including the BAA that you sign with Dropbox and may not follow HIPAA standards.

As such, you must research third-party apps and integrations and obtain separate BAAs before you use them.

Central Data Storage – A Safer, HIPAA-Compliant Alternative to Dropbox

Is Dropbox HIPAA-compliant? It can be – though it depends on how you use the service, configure your accounts and your ability to regularly monitor user access and activity, all of which of course present time-consuming administrative burdens.

Fortunately, there are alternative file storage and sharing solutions that are HIPAA-compliant by design.

Central Data Storage is one such solution.

All our products have been purposefully built to keep your PHI safe and secure in full compliance with HIPAA.

We have BAAs in place and are approved by third-party auditors as 100% compliant with HIPAA and HITECH, as well as the EU’s General Data Protection Regulation (GDPR) and State Laws.

What’s more, our 448-bit end-to-end encryption exceeds military-grade standards to ensure your data remains protected from cyberattacks and other outside threats, both in transit and at rest in our highly secure private cloud.

With Central Data Storage, you also enjoy unlimited storage capacity, dual authentication, encrypted sharing, and ransomware recovery.

Our sole purpose is to ensure that your data is always safe, fully protected, and recoverable and that you remain in full compliance with HIPAA and other regulatory requirements.

Want to learn more about the benefits of our comprehensive data solutions, WisperMSG and UnisonBDR? Just call 1-888-907-1227 or email info@centraldatastorage.com

Scroll to Top