Dropbox E3 and E5 accounts meets a variety of certification and regulation criteria that enable them to be configured in a HIPAA compliant manner. These configurations are not a part of the default setup. Make sure everyone on your team knows how Dropbox fits into your procedures and while conforming to HHS HIPAA security requirements.
Encrypt PHI Stored on Dropbox
In order to make sure the PHI you store on Dropbox is encrypted, you will have to make decide on the answers to some questions. Dropbox will allow you to store files containing unencrypted PHI, so remember to either encrypt your documents before uploading them to Dropbox storage. Here are some encryption decision questions to get you started.
- Have you decided how you will encrypt PHI stored at rest while it is on Dropbox’s servers?
- Is your team trained on how to use software that manually encrypt files containing PHI?
- Do you have the resources in-house to setup and administer an integrated encryption solution?
- Who will be responsible for managing encryption keys?
Manual Encryption Options
Good no-cost software for manually encrypting your files include VeraCrypt and DiskCryptor. Paid for services like AxCrypt have even more features to help you manage encrypted file access including robust key sharing features, password management, backup keys, mobile support, file wiping and more.
Built-in Encryption Options for Dropbox
Use a service like BoxCryptor to automatically encrypt all files before uploaded to your account. Dropbox has provided a Business and HIPAA/HITECH overview for customers looking to meet HIPAA requirements.
Will Dropbox Sign a Business Associate Agreement?
Yes, Dropbox will sign a Business Associate Agreement with E3 and E5 users. Dropbox recommends that prospective users contact their sales team to get their account and BAA setup right. For existing Dropbox Business E3 and E5, account administrators can sign a BAA electronically from the Account page in the Dropbox Admin Console.
Deciding if Dropbox is HIPAA Compliant for You
When evaluating Dropbox for HIPAA compliance, consider your existing security management process. Any software that stores or transmits PHI should be able to encrypt data, enforce role authorization, enable secure encryption key management, track user activity and any other features that support your HIPAA compliance processes.