Is Dropbox HIPAA Compliant?

Many small businesses appreciate the ease and reliability of cloud storage. With cloud storage, you can share files with other parties and collaborate, all while making backup copies that you’ll store offsite, which protects you in case of a natural disaster that destroys your onsite storage.

However, if your business must follow HIPAA guidelines with the files you have in your possession, you need to be careful with how you handle this data, whether it’s onsite or in cloud storage. Maintaining compliance with HIPAA not only means guarding the way you handle your data, but it also requires using software and apps that follow HIPAA guidelines, which includes your cloud storage provider’s app and software.

If you use Dropbox for your cloud storage, you may be wondering, is Dropbox HIPAA compliant? When using Dropbox, following through on HIPAA compliance is possible, but you need to set up the Dropbox app properly to ensure compatibility. We’ll help you figure out how to make Dropbox HIPAA compliant.

Maintaining HIPAA Compliance With Dropbox

HIPAA is short for the Health Insurance Portability and Accountability Act of 1996. This is a federal law that sets up standards for protecting health information of patients. Those who collect and store this type of patient health data cannot disclose it to others without the knowledge or consent of the patient.

Those who must follow HIPAA guidelines include:

• Healthcare providers (such as doctors and hospitals)
• Health, dental, vision, or Medicare supplement insurance providers
• Businesses that process health insurance claims or other medical billing information

Businesses must safeguard electronic protected health information, also called e-PHI or PHI. This encompasses any digital files or other data, which is where companies that are using a cloud service provider like Dropbox need to be able to ensure HIPAA compliance.

Do You Need HIPAA Compliance With Your Version of Dropbox?

If you are a business that handles patient data, or if you are a business associate of an entity that handles this type of sensitive information, you will need to ensure your Dropbox account has HIPAA compliance.

According to HIPAA guidelines, a business associate is any entity that has access to PHI or that handles that information on behalf of a business that must maintain HIPAA compliance. Oftentimes, a business associate dealing with HIPAA guidelines will be a subcontractor to a company that handles PHI directly.

If you are a business associate or a business that handles PHI, and if you use Dropbox for cloud storage or for document collaboration, Dropbox will be your business associate for HIPAA purposes.

If you fail to follow HIPAA guidelines, you could be subject to significant fines, so it is extremely important to make sure all of the software and apps you are using will follow HIPAA.

Can Dropbox Be Made HIPAA Compliant?

Dropbox does offer the capability to maintain compliance with the HIPAA regulations, but you do need to set up your account properly. Here are a series of steps you can follow to ensure that Dropbox is HIPAA compliant.

• Set up a BAA. If you are a HIPAA covered entity, you and Dropbox will need to complete a BAA (business associate agreement) to ensure compliance. Once you have your account set up, you can open the Admin page in your Dropbox account to access the BAA forms.
• Set up the security features. You may want to set up Dropbox so that anyone who accesses it must use a two-step sign-in verification. This ensures that if one of the employees loses a password, whomever gains access to the password cannot access the account.
• Protect the files. Determine who should be able to access the PHI files in Dropbox and then only give those employees access through your Dropbox administrator settings.
• Use third-party apps carefully. There are a number of third-party apps that are available for Dropbox. However, if you choose to use them, you need to ensure that they are also HIPAA compatible.

Maintaining HIPAA compliance through Dropbox is not a difficult process, but you do have to take a bit of time to ensure that you have everything set up properly.

What’s Required to Be HIPAA Compliant When Using Dropbox?

For starters, it is important to use the proper version of Dropbox to ensure that your organization will be HIPAA compliant.

HIPAA Compliant Dropbox Account Levels

Here are the account levels you can use with Dropbox that maintain compatibility with HIPAA guidelines.

• Standard: The Standard level in Dropbox is made for businesses or other organizations, and it costs $15 per month per user. It has encryption protection, two-factor authentication, and 5 TB of storage space per user.
• Advanced: The Advanced level in Dropbox is made for businesses and other organizations, providing data encryption and two-factor authentication with an unlimited amount of storage available for each user. The cost in the Advanced level is $25 per user per month.
• Enterprise: The Enterprise level is made for businesses and organizations. It provides data encryption and two-factor authentication. In addition to the HIPAA compliance this level provides, it also has 24/7 customer support, as well as extensive administrative control, which can be helpful for larger organizations. You’ll have to call Dropbox for a price quote for this level.
• Education: There is an Education level in Dropbox, but users will need to call Dropbox for pricing quotes. Higher education institutions will be the primary users for the Education level. Depending on the number of users you will have with Dropbox Education, you may be eligible to have 15 GB of storage per user. At this level, Dropbox provides HIPAA guidelines compliance.

Non-HIPAA Compliant Dropbox Account Levels

Here are the Dropbox account levels that are not able to follow compliance with HIPAA guidelines.

• Basic: The Basic account level is Dropbox’s free account. Users have access to up to 2 GB of storage with Basic. Basic has plenty of security features, so your data will be well protected with this level, but it will not meet HIPAA compliance.
• Professional: The Professional account level costs $19.99 per month, and it is made for individuals to use with 3 TB of storage space. You can use the Professional level with multiple security levels, including two-factor authentication and data encryption. However, the Professional level does not have HIPAA compliance capability.
• Plus: The Plus level in Dropbox is made for individuals, offering 2 TB of storage for $9.99 per month. However, this level does not have HIPAA compliance.

How to Make Your Dropbox Plan HIPAA Compliant

Here are the steps you should follow to ensure that your Dropbox account is compliant with HIPAA regulations.

Sign Up for the Right Plan

As we discussed earlier, you need to sign up for a plan level in Dropbox that allows for HIPAA compliance. The plans aimed at individual users will not have HIPAA compliance, but those aimed at businesses and organizations will offer HIPAA compliance.

Sign a BAA

It is important to complete the BAA in Dropbox as early as possible. Without having a signed BAA in place, you cannot begin using Dropbox for HIPAA compliance, and you should not begin sending HIPAA related files and data to Dropbox for cloud storage.

From the Administration page in Dropbox, you can start the process of signing the BAA.

Set Up the Proper Permissions

Dropbox recommends that any clients using the app for PHI data that requires HIPAA compliance enable two-factor authentication.

This means that clients will need to enter their username and password to gain access to the account, followed by entering a six-digit authentication code that arrives on a mobile device. This ensures that no one can access the account with only the user name/password combination or with the mobile device alone.

Maintain HIPAA Compliance

After you have signed up for the right Dropbox level, it is important to ensure that you maintain your security levels for HIPAA. This requires regular monitoring of your Dropbox account, as well as a few other items.

• Staying up to date: You should keep up to date on the HIPAA regulations, ensuring that you make changes to how you handle patient data and files to match changes in the regulations.
• Monitor account activity: Keep an eye on your account and the way the members of your organization are using it for HIPAA related data and files. If any of them are not using it properly or should not have access, you will catch this problem quickly through regular account monitoring.
• Update permissions regularly: Because employees and organization members often have their job responsibilities and descriptions change on a regular basis, you may find that some employee’s requirements for HIPAA permissions may also change. Through regular monitoring of your Dropbox accounts, you hopefully can catch when someone in your organization no longer requires access to HIPAA files, allowing you to change the permissions as needed.
• Don’t allow deletions: Set up your Dropbox account so no one can delete the HIPAA related medical files, either inadvertently or on purpose. You have to give patients copies of their medical files if they request them, so you do not want to have a file deleted, and then have the patient request the file.

What About Dropbox Paper and HIPAA?

Dropbox added compatibility with HIPAA in 2015, and the following year it added the ability to sign a BAA electronically between itself and its customers who need the BAA.

In 2017, Dropbox added Dropbox Paper to its offerings, but it was not usable for those who required HIPAA compliance. The company updated how Paper works in 2019, this time adding HIPAA compliance to the app. (Dropbox Paper is a digital workspace that allows people in the organization to collaborate on projects, accessing files and brainstorming ideas.)

You will have to update the settings on the administration page of Dropbox Paper to be able to use this app in a manner that is compliant with HIPAA.