Organizations in the healthcare industry can benefit from using Dropbox to store and share information. But is Dropbox HIPAA compliant? A recent article from Inspired e-Learning walks us through how to use Dropbox and stay within HIPAA Compliance. While Dropbox’s features and functions do support HIPAA/HITECH compliance -- it’s up to your organization to properly configure the platform and adjust its settings to remain within the bounds of the law. To do so, follow these steps:
1. Execute a BAA: Before anything is transmitted, the first step is to sign a business associate agreement (BAA) with Dropbox. HIPAA defines a business associate as any entity which receives or manages PHI. A BAA requires both the sending and receiving party to adhere to HIPPA/HITECH regulations, thereby protecting sensitive medical information on both ends. Users who have a paid account can sign a BAA with Dropbox from within their admin console. However, those with a free Dropbox plan do not have access to the BAA feature, and will not be able to achieve compliance using Dropbox.
2. Authentication & Sharing Permissions: To best secure PHI stored on Dropbox, two-step verification is highly recommended. Under this process, authenticated users are required to enter a six-digit security code sent to their mobile device, in addition to their username and password. Organizations handling PHI should also tighten account permissions to protect against unauthorized sharing. Account administrators can configure the settings so that files and links can only be shared among the team’s authorized members. Administrators can also assign “editing” or “view-only” privileges to each team member as appropriate.
3. Disable Permanent Deletion: In order to meet HIPAA data retention requirements and ensure medical files remain on-hand should a patient request them, the “permanent delete” function should be disabled through the admin console.
4. Monitor Account Access & Activity: Dropbox user activity reports show who has accessed or obtained information and should be frequently monitored for unusual activity. Reviewing these reports will also help administrators ensure that permissions are up-to-date. If a team member leaves, you can remotely unlink their account and wipe Dropbox content from their mobile device.
5. Evaluate Third-Party Apps: There are a number of third-party apps that can be added to a Dropbox account to increase functionality. However, these services are separate from Dropbox and are not covered under your BAA. It is up to the user to evaluate the privacy practices of third-party apps to see if they meet compliance needs.
For more information on HIPAA compliance, visit HIPAAcraticRx.