Lately we've been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Dropbox is a hugely popular file sharing and storage company located about a mile from us here in San Francisco. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
The purpose of this post is to determine if Dropbox offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Dropbox is a cloud-based file hosting and sharing service that has its headquarters in San Francisco, California. The company was founded in 2007 by MIT students Drew Houston and Arash Ferdowsi.
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked Dropbox's site and found a section titled "The standards and regulations that Dropbox Business and Education comply with" on their Help Center under Security and Privacy. Under the HIPAA / HITECH sub-section, Dropbox writes: "Dropbox will sign business associate agreements (BAAs) with Dropbox Business, Enterprise, and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)."
Now that we know certain versions of Dropbox support HIPAA compliance, we thought it would be useful to find out when they first offered HIPAA compliant services. The answer turns out to be late 2015. We found a blog post from 6 November 2015 titled, "Dropbox now supports HIPAA and HITECH Act compliance."
We also found a helpful Getting Started with HIPAA guide on Dropbox's site. The guide provides a variety of suggestions on topics like:
Dropbox Paper is a collaborative document-editing service that originated from the company's acquisition of document collaboration company Hackpad in 2014.
Take note: Dropbox Paper is not supported for HIPAA Compliance. In their Help Center, we found an article called "Using Dropbox Paper with Dropbox Business." In it, the article mentions: "Paper is not HIPAA-compliant, and Dropbox Business customers who have signed a BAA can’t use Paper."
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Information on Dropbox's website states that certain versions of their product offer HIPAA Compliance:
We also discovered Dropbox Paper is not HIPAA compliant, regardless of which product plan you sign up for. Conclusion: Certain versions of Dropbox can be configured to be HIPAA compliant. Make sure you sign a Business Associate Agreement with them.