Dropbox E3 and E5 accounts meet a variety of certification and regulation criteria that enable them to be configured in a HIPAA compliant manner. These configurations are not a part of the default setup, so you will need to make sure everyone on your team knows how Dropbox fits into your procedures and while conforming to HHS HIPAA security requirements.
Encrypt PHI Stored on Dropbox
Dropbox will allow you to store files containing unencrypted PHI, so remember to encrypt your documents before uploading them to Dropbox storage. Here are some encryption decision questions to get you started.
- How you will encrypt PHI stored at rest while it is on Dropbox’s servers?
- Is your team trained on how to use software that manually encrypts files containing PHI?
- Do you have the resources in-house to set up and administer your encryption solution?
- Who will be responsible for managing encryption keys?
Manual Encryption Options
VeraCrypt and DiskCryptor are two good options for no-cost software that manually encrypts your files. Pay services like AxCrypt have even more features to help you manage encrypted file access including robust key sharing features, password management, backup keys, mobile support, file wiping and more.
Built-in Encryption Options for Dropbox
Use a service like BoxCryptor to automatically encrypt all files before they are uploaded to your account. Dropbox has provided a Business and HIPAA/HITECH overview for customers looking to meet HIPAA requirements.
Will Dropbox Sign a Business Associate Agreement?
Yes, Dropbox will sign a Business Associate Agreement with E3 and E5 users. Dropbox recommends that prospective users contact their sales team to get a BAA setup right. Existing Dropbox Business E3 and E5 administrators can sign a BAA electronically from the Account page in the Dropbox Admin Console.
Deciding if Dropbox is HIPAA Compliant for You
When evaluating Dropbox for HIPAA compliance, consider your existing security management process. Any software that stores or transmits PHI should be able to encrypt data, enforce role authorization, enable secure encryption key management, track user activity and any other features that support your HIPAA compliance processes.