Login | October 23, 2020

Making Dropbox HIPAA compliant

RICHARD WEINER
Technology for Lawyers

Published: October 2, 2020

Many attorneys move large files through cloud services like Dropbox. But those services can’t really, in and of themselves, be HIPAA compliant. There is no official HIPAA compliant certification for any cloud service. That responsibility still rests on the shoulders of the documents’ creators and recipients.
So it has to be good practice to make sure that all cloud-transmitted documents comply with HIPAA. While this column will specifically cover Dropbox, the basic principles would apply to any cloud provider.
Thanks to Law Technology Today for the following tips:
“Complying with HIPAA is a shared responsibility between the covered entity and the cloud storage service provider.
Covered entities must use comprehensive risk assessment tools to ensure vendor compliance with the HIPAA privacy rule, security rule, and the breach notification rule. Therefore, when choosing a cloud storageprovider, ask for third-party assurance reports evaluating vendors’ controls for HIPAA rules.”
First, sign up for the pay Dropbox or any cloud service. Business Dropbox includes nifty functions like change tracking, unlimited storage, backup and unlimited file versions. Dropbox Business also has enterprise-grade security protection which has gone through numerous audits and certifications and features a remote wipe ability. HIPAA compliant security is not available with a free subscription.
Before you store any ePHI on the cloud, you must ask the cloud storage provider to sign a BAA to make sure they follow HIPAA requirements. This can be done electronically in the Dropbox admin page.
Set up the account security features. You must configure how documents are shared before storing any ePHI. Enable 2-step authorization and institute password protocols (like changing passwords every 30 to 60 days).
Comply with HIPAA data retention rules by disabling permanent deletion. Make sure only the admins can manually delete content.
Conduct risk assessment of third-party apps. Take the extra effort to make sure that any apps that have access to your Dropbox account are also HIPAA compliant.
Like with all firm security, conduct regular and thorough training and review of procedures for all staff who can access this account. Monitor the account for irregular activity.
And take your time to get this right. One slip-up and you can be facing major fines and/or privacy lawsuits.


[Back]