Dropbox is a popular service for storing and sharing files. Covered entities that are subject to HIPAA should approach Dropbox with caution, though, just as they would with any other technology platform.
Dropbox claims to be fully HIPAA compliant, but healthcare providers, insurance companies, HMOs, and other covered entities or business associates must understand the nuances of working with technologies that story and transmit protected health information (PHI).
How to Maintain HIPAA Compliance with Dropbox
The US Department of Health and Human Services (HHS) categorizes Dropbox as a “business associate.” Consequently, before you store any PHI using Dropbox, you need to have a signed Business Associate Agreement (BAA) in place with them. That will require a Dropbox Business account; the free version will not suffice.
Next, you’ll need to configure Dropbox to be HIPAA compliant, starting with setting permissions for file sharing. This is especially important because Dropbox makes it so easy to share information that is stored on the platform with external users. Configuration settings allow you to prohibit users from sharing files outside of your organization. To stay HIPAA compliant, it’s important to turn that feature on.
You will need to restrict access to certain information, even when employees share information internally, though. When someone creates a shared folder, they can customize the folder's settings to set the appropriate level of access for various users in your organization.
You should also implement two-factor authentication (2FA), which is strongly recommended whenever working with software or online services that contain electronic PHI. This prevents access by an unauthorized party, even if they have obtained a valid username and password.
HIPAA requires that certain records be retained for up to six years, and various state laws mandate specific retention periods for medical records. It is important, therefore, to prevent users from permanently deleting files from Dropbox, which could inadvertently lead to a HIPAA violation or infraction of state laws.
By default, anyone who uploads a file or owns a shared folder within Dropbox can perform permanent deletions. To stay in the good graces of HIPAA regulators, you should disable the "Permanent Delete " feature within Dropbox’s Admin Console. With this feature turned off, the ability to permanently delete content is restricted to team admins only.
Monitoring for Potential Problems
As with many technology platforms used to send, receive, and transmit PHI, Dropbox requires ongoing monitoring to ensure that it is not being used improperly.
Whenever an employee leaves or a third-party contractor ceases to work for your organization, you should promptly remove their access to Dropbox content. It’s a good practice to review the list of Dropbox users on a routine basis to ensure that access using any unauthorized account has been disabled.
Because Dropbox stores copies of files on local devices, it’s critical that any unused or unauthorized devices be cleared of all sensitive data they might contain. Dropbox allows administrators to “unlink” a device. At that time, they should opt to remotely wipe all Dropbox content from it.
Dropbox team administrators can view and export reports that list all sharing, authentication, and administrative activities. It is strongly recommended that someone in your organization should review those activity reports, watching for any unusual activity.
Third-party Apps in Dropbox
There are a number of third-party apps available for Dropbox Business that extend the platform to provide additional features. These generally offer added convenience, and in some cases even strengthen the overall security available to Dropbox users.
However, third-party apps are not covered by Dropbox’s terms of use, and they aren’t included in the BAA that Dropbox executes with covered entities. In other words, you need to evaluate these independently, configure them appropriately, and obtain a signed BAA from each of the software companies providing a third-party app.
Some of those apps are linked to Dropbox Business accounts as a whole. Others are connected to individual accounts, so controlling the use of these extensions can be tricky.
Dropbox provides a guide to Getting Started with HIPAA. It’s important, of course, to check with the company for updated information about the company’s conformance to HIPAA standards and recommended steps for remaining HIPAA compliant.
You Are Responsible for Staying HIPAA Compliant
Ultimately, you are responsible for ensuring that your handling of PHI is fully compliant with HIPAA’s Privacy Rule. Although Dropbox can be a very useful tool, it is your job to make sure that you are using it properly and have a BAA in effect with Dropbox.
If you prefer to transmit, receive, and store PHI securely, – but without all the headaches, – consider using the tried-and-true technology that so many healthcare providers, insurers, and others in the medical field have relied upon for years. Secure cloud fax is highly reliable and easy to use, with proven security.
With WestFax’s HIPAA-Compliant Healthcare Fax, users can send and receive faxes from their desktop computer, from a multifunction printer (MFP), or even from a mobile phone. WestFax offers a host of other features that make it easier to use and more efficient than traditional fax machines, such as automatically adding a cover page with a HIPAA disclaimer to every outgoing fax. WestFax also maintains a record of every document sent or received, providing a clear audit trail that is protected and safe from unauthorized access.
If you’re interested in learning more about what it takes to switch to HIPAA Compliant Secure Cloud Fax, call WestFax today at 800-473-6208, or contact us via our website.
