Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Dropbox is a hugely popular file sharing and storage company located about a mile from us here in San Francisco.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
The purpose of this post is to determine if Dropbox offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Dropbox
Dropbox is a cloud-based file hosting and sharing service that has its headquarters in San Francisco, California.
The company was founded in 2007 by MIT students Drew Houston and Arash Ferdowsi.
Dropbox and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked Dropbox’s site and found a section titled “The standards and regulations that Dropbox Business and Education comply with” on their Help Center under Security and Privacy.
Under the HIPAA / HITECH sub-section, Dropbox writes:
“Dropbox will sign business associate agreements (BAAs) with Dropbox Business, Enterprise, and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).”
When did Dropbox first announce HIPAA Compliance?
Now that we know certain versions of Dropbox support HIPAA compliance, we thought it would be useful to find out when they first offered HIPAA compliant services.
The answer turns out to be late 2015.
We found a blog post from 6 November 2015 titled, “Dropbox now supports HIPAA and HITECH Act compliance.”
How to Sign a Business Associated Agreement with Dropbox
Only certain versions of Dropbox are supported for HIPAA compliance.
They are:
- Dropbox Business
- Dropbox Enterprise
- Dropbox Education
If you are a Dropbox Business, Enterprise or Education customer, here’s how to sign a Business Associate Agreement with Dropbox:
- Sign in to Dropbox with your admin account.
- Open the Admin Console.
- Click Settings.
- Click Team profile.
- Under Advanced, click Set up BAA.
- Review and complete the agreement.
Getting Started with Dropbox and HIPAA
We also found a helpful Getting Started with HIPAA guide on Dropbox’s site.
The guide provides a variety of suggestions on topics like:
- Configuring sharing permissions on Dropbox.
- Disabling permanent deletions.
- Monitoring account access and activity.
- Understanding the role of 3rd party apps.
Dropbox Paper and HIPAA
Dropbox Paper is a collaborative document-editing service that originated from the company’s acquisition of document collaboration company Hackpad in 2014.
Take note: Dropbox Paper is not supported for HIPAA Compliance.
In their Help Center, we found an article called “Using Dropbox Paper with Dropbox Business.”
In it, the article mentions:
“Paper is not HIPAA-compliant, and Dropbox Business customers who have signed a BAA can’t use Paper.”
Does Dropbox Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
Information on Dropbox’s website states that certain versions of their product offer HIPAA Compliance:
- Dropbox Business
- Dropbox Enterprise
- Dropbox Education
We also discovered Dropbox Paper is not HIPAA compliant, regardless of which product plan you sign up for.
Conclusion:
Certain versions of Dropbox can be configured to be HIPAA compliant.
Make sure you sign a Business Associate Agreement with them.
No comments:
Post a Comment