How to Make a Dropbox Business Account HIPAA/HITECH Compliant

HIPAA/HITECH compliance has been a major concern for healthcare professionals when it comes to embracing the public cloud. Many healthcare and associated businesses find it difficult to have control of their data and stay compliant with HIPAA/HITECH. It is one of the major reasons why most healthcare professionals are either using traditional file systems or expensive cloud services.

In this article, we briefed how a healthcare practice, or any other business, can be HIPAA/HITECH compliant while using Dropbox.

Disclaimer: The primary motive of this article is to educate readers. By no means it can be considered professional advice.

HIPAA/HITECH Background

HIPAA: Health Insurance Portability and Accountability Act (1996)

HITECH: Health Information Technology for Economic and Clinical Health Act (2009)

Failing to comply with these laws could result in huge penalties. Healthcare practices or companies that violate HIPAA/HITECH laws could end up paying thousands of dollars in penalties.

Which Businesses Need HIPAA/HITECH Compliance?

From healthcare practices and insurance companies to any business that directly deals with protected health information (PHI), HIPAA/HITECH compliance is mandatory.

Protected health information (PHI) refers to the information about past, present, and future medical condition, treatment, and payment of a patient.

The following are the broad categories of businesses that require HIPAA/HITECH compliance.

  • Healthcare providers
  • Insurance companies
  • Healthcare clearinghouses
  • Any vendor who has direct access to PHI

Making a Dropbox Business Account HIPAA/HITECH Compliant

Firstly, there is no official HIPAA/HITECH certification. Now that means there is nothing like a HIPAA/HITECH-certified cloud service. Most cloud storage services including Dropbox provide data controls and features that can be leveraged to achieve compliance. It’s the job of an IT admin/manager or an MSP to use those controls to ensure maximum data security and compliance.

Here are some basic steps to follow.

Note that one needs to be a Dropbox admin and must have the admin login credentials to access the settings or controls mentioned below.

1.Tighten up Files and Folders Sharing Permissions

Keeping patients’ information private and safe is the core of HIPAA/HITECH compliance. Therefore, current file and folder settings of a Dropbox account must be reviewed. By default, the system allows files and folders to be shared with people outside of the organization. The setting needs to be disabled to ensure data security.

Quick Steps:

  • Step 1: Login to Dropbox Account and Access Admin Console

Click on the Sharing tab from list of settings available in the Admin console.

  • Step 2: Configure External Sharing Options

As shown in the figure, disable external sharing options to prevent employees or contractors from sharing PHI to unauthorized people.

2.Beef up Sign-in Security

Strengthening sign-in security reduces the risk of hacking, data breach, or data loss. Dropbox provides several settings to achieve that such as Two-step verification and Single sign-on (SSO)

Quick Steps:

  • Step 1: Enable Two-Step Verification

Two-step verification remains optional unless enabled by an IT admin. As seen in the picture, the option can be accessed from Dropbox admin settings. When enabled, Dropbox forces employees (users) to create a two-step verification process. Employees can choose the type verification they are comfortable with.

  • Step 2: Enable Single Sign-On

Single sign-on option allows Dropbox users to log in to their accounts using the identity information provided by their company. This feature helps prevent access of Dropbox from unauthorized devices.

Go to Settings and enable Single sign-on option and provide the needed identity information.

3.Disable Permanent Deletion of Files

Dropbox considers the creator or uploader of a file as the owner of that content provides them full control over it. By default, a user can permanently delete their owned data. Since HIPAA/HITECH compliance requires a lot more control on data, a Dropbox admin can disable permanent data deletion.

Quick Steps:

  • Step 1: Disable Permanent Deletion

Go to Dropbox admin settings and click on the Deletion tab. Turn off the Permanent Delete option.

Dropbox HIPAA Best Practices

In addition to securing the Dropbox account, a Dropbox Business account admin must follow the best practises mentioned below for a greater control of organization’s data.

  • Conduct frequent user and data audits.
  • Revise the devices linked to admin accounts as well as user accounts (this can be done by the users) to detect unauthorized access
  • Track Dropbox and keep an eye on the unusual or suspicious activity
  • Review the third-party apps linked to Dropbox accounts

Staying in compliant with HIPAA/HITECH while using Dropbox for storage and collaboration is very easy when the above-mentioned steps and best practices are followed.