Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: May 24, 2024   |   Fergal Glynn

Is Dropbox HIPAA compliant?

Go back

Companies operating in the U.S. healthcare system have to ensure the privacy and security of all data they collect and process that contains protected health information (PHI). Specific guidelines are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect sensitive patient information from being disclosed without an individual’s consent. Failure to comply with HIPAA regulations can result in serious financial penalties and negative publicity.

The need to comply with HIPAA extends to all IT services and software solutions an organization uses to store and process PHI. Dropbox is a popular software platform that addresses some of the needs of healthcare companies. 

But is Dropbox HIPAA compliant? The short answer is no, Dropbox is not fully HIPAA compliant out of the box, but with proper configuration and oversight, it is possible to use Dropbox in a HIPAA-compliant manner. 

Keep reading to learn how to use Dropbox in a way that complies with HIPAA standards.

In this article:

Wh‎at is Dropbox?

Accessing a cloud storage and file sharing service like Dropbox

‎Dropbox is a cloud-based storage and file-sharing platform that facilitates collaboration and distributing information throughout an organization. Healthcare organizations typically have many types of documents and files that contain PHI. The features available in Dropbox address their needs in multiple ways.

  • The tool offers a simple and efficient method of sharing data and collaborating with remotely located colleagues by making information available to anyone with an internet connection.
  • Dropbox provides flexible storage plans that leverage the cloud to save local hard drive space.
  • The platform’s admin console enables an organization to monitor team activity, view connected devices, and audit external sharing activity.
  • Dropbox integrates with over 300,000 third-party apps to extend its functionality.
  • File and version recovery protects a company from deleted or damaged files.
  • The remote wipe capability enables sensitive data to be cleared from lost or stolen devices.
  • Comprehensive control over file permissions allows companies to limit access to sensitive data to specific groups or individuals.

Is‎ Dropbox HIPAA compliant out of the box?

Screenshot of Dropbox HIPAA and HITECH compliance

‎The software tools used by healthcare companies to process PHI need to comply with two main HIPAA rules:

  • The HIPAA Privacy Rule defines the conditions under which any PHI can be shared and how its privacy should be protected.
  • The HIPAA Security Rule establishes administrative, technical, and physical safeguards designed to ensure the security of electronic protected health information (ePHI).

Some of these safeguards are met by Dropbox without any modifications. For example, Dropbox automatically encrypts data at rest in its cloud storage, addressing a critical aspect of HIPAA compliance. The tool also offers monitoring capability to track user activity and identify who accessed sensitive data.

However, it's important to note that Dropbox alone cannot be considered HIPAA compliant, as compliance depends on how the software or platform is used. Healthcare organizations must configure their Dropbox accounts correctly to avoid HIPAA violations, such as setting sharing permissions to ensure files containing PHI can only be accessed by authorized individuals and using two-step verification for additional security.

Users have control over the type of authorization and authentication policies that govern access to their data. The default sharing permissions and other configuration parameters are not rigorous enough to meet HIPAA standards.

Dr‎opbox compliance guidelines, tools, and user responsibilities

Healthcare professional using a tablet to access Dropbox and other services

‎Dropbox is considered a data processor under HIPAA and requires signed Business Associate Agreements (BAAs). However, free users of Dropbox cannot be HIPAA compliant as they are unable to sign BAAs.

Dropbox acts as a data processor and provides an online storage service, but it cannot access the stored data unless directed by its users. This feature makes it easier for covered entities, such as healthcare professionals, to be HIPAA compliant when using Dropbox.

A BAA with Dropbox outlines the limitations on how Dropbox can use or disclose PHI and requires prompt notification of any breaches. Dropbox includes HIPAA-compliant features in several of its plans, and administrators can limit the sharing of PHI data and disable permanent data deletions.

Dropbox also offers guidance and tools for HIPAA compliance, including recommendations, a Getting Started guide, and key steps like monitoring usage and limiting sharing. Dropbox provides a mapping of their internal practices and recommendations for customers who are looking to meet the requirements of the HIPAA Security and Privacy Rules with Dropbox.

Dropbox's framework includes various protections such as permissioning, two-factor authentication (2FA), single sign-on (SSO), and the option to sign BAAs. Additionally, third-party reports assess Dropbox's HIPAA and HITECH controls, further ensuring compliance.

It's important to restrict access to certain information and prevent permanent deletion of files. Ongoing monitoring and regular audits are necessary to ensure proper usage, and access should be promptly removed for employees or contractors who are no longer associated with the organization.

Third-party apps connected to Dropbox Business accounts need to be evaluated independently and have a signed BAA. Ultimately, it's the user's responsibility to ensure compliance.

Ho‎w to make Dropbox HIPAA compliant

Healthcare provider using a laptop and accessing files from the cloud

‎Dropbox users in the healthcare sector can use Dropbox and maintain HIPAA compliance by taking the following measures.

Set up a business associate agreement (BAA) with Dropbox. The prerequisites for signing a BAA include a paid subscription and at least three team members. A BAA with its IT providers, such as Dropbox, is a requirement for covered entities seeking HIPAA compliance.

Implement the following best practices to enable a company to use Dropbox in a HIPAA-regulated environment.

  • Configure sharing permissions so that only team members can share sensitive documents.
  • Strengthen authentication by implementing two-step verification that requires a dynamically generated security code in addition to a password. Companies may also integrate Dropbox with their existing single sign-on (SSO) provider.
  • Disable the permanent deletion function to help address retention requirements.
  • Conduct regular access reviews that incorporate the team members who can access PHI as well as the devices linked to the account. Obsolete team members or devices should be deleted from the account for additional protection.
  • Monitor Dropbox usage for unusual activity that may indicate attempts by unauthorized users to access PHI.

Pr‎otecting your Dropbox data with DLP software

‎Implementing a data loss prevention (DLP) software solution can help you maintain HIPAA compliance when using Dropbox. A DLP platform relies on a company developing an effective data handling policy to control how information is used throughout the IT environment

The software automatically enforces the data handling policy to ensure that no information is deliberately or accidentally misused.

The Reveal Platform by Next is an advanced DLP platform that protects PHI and an organization’s other sensitive data resources. The tool employs next-gen endpoint agents powered by machine learning to identify and categorize data at the point of risk. 

When users violate the data handling policy, the activity is prohibited and an informative message is generated that defines the violation and promotes enhanced security-consciousness.

Schedule a demo to see Reveal in action and talk to our DLP experts to learn how Reveal supports HIPAA compliance.

Fr‎equently asked questions 

How does a DLP tool protect an organization when transmitting PHI?

A DLP tool protects an organization when transmitting PHI by ensuring that the data adheres to the data handling policy which should call for the information to be encrypted before transmission.

Users will be prohibited from sending unencrypted PHI via email and will be informed of their violation. They can then take the necessary steps and encrypt the data before transmitting it securely.

What are some of the safeguards of the HIPAA Security Rule that are addressed by Dropbox features?

The safeguards of the HIPAA Security Rule which are addressed by Dropbox features include:

  • Encryption - Dropbox data is encrypted by default using the 256-bit AES protocol
  • Access controls - Access to sensitive data is restricted to authorized individuals or teams
  • Workstation security - workstation data is protected by the ability to remotely wipe information from a lost or stolen device

Why should obsolete users or devices be deleted from a Dropbox account to protect PHI?

All unused IDs and devices should be removed from the Dropbox account as soon as possible. Obsolete users or devices present a serious security vulnerability that should be addressed during the periodic risk assessments required for HIPAA compliance.

Threat actors can leverage these accounts or devices to obtain unauthorized access to PHI which can result in expensive HIPAA violations.


See how Next protects your employees and prevents data loss