Gazelle Consulting

Is Dropbox HIPAA Compliant?

Is Dropbox HIPAA Compliant?

Dropbox E3 and E5 accounts meet a variety of certification and regulation criteria that enable them to be configured in a HIPAA compliant manner. These configurations are not a part of the default setup, so you will need to make sure everyone on your team knows how Dropbox fits into your procedures and while conforming to HHS HIPAA security requirements.

Encrypt PHI Stored on Dropbox

Dropbox will allow you to store files containing unencrypted PHI, so remember to encrypt your documents before uploading them to Dropbox storage. Here are some encryption decision questions to get you started.

  • How you will encrypt PHI stored at rest while it is on Dropbox’s servers?
  • Is your team trained on how to use software that manually encrypts files containing PHI?
  • Do you have the resources in-house to set up and administer your encryption solution?
  • Who will be responsible for managing encryption keys?

Manual Encryption Options

VeraCrypt and DiskCryptor are two good options for no-cost software that manually encrypts your files. Pay services like AxCrypt have even more features to help you manage encrypted file access including robust key sharing features, password management, backup keys, mobile support, file wiping and more.

Built-in Encryption Options for Dropbox

Use a service like BoxCryptor to automatically encrypt all files before they are uploaded to your account. Dropbox has provided a Business and HIPAA/HITECH overview for customers looking to meet HIPAA requirements.

Will Dropbox Sign a Business Associate Agreement?

Yes, Dropbox will sign a Business Associate Agreement with E3 and E5 users. Dropbox recommends that prospective users contact their sales team to get a BAA setup right. Existing Dropbox Business E3 and E5 administrators can sign a BAA electronically from the Account page in the Dropbox Admin Console.

Deciding if Dropbox is HIPAA Compliant for You

When evaluating Dropbox for HIPAA compliance, consider your existing security management process. Any software that stores or transmits PHI should be able to encrypt data, enforce role authorization, enable secure encryption key management, track user activity and any other features that support your HIPAA compliance processes.

If you have any questions about whether Dropbox is the right file hosting service to support your healthcare services, send Gazelle Consulting a message today or call 503-389-5666.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!