An article over at KevinMD.com on using Dropbox to store transcriptions has set off a lot of conversation on Twitter asking if Dropbox is HIPAA compliant. Let’s look at what the article references:
www.dropbox.com
Download the Dropbox software (free) and save files to your Dropbox in the cloud. Access Dropbox files from any computer with a web browser and on other devices (iPhone, iPad), too. It comes with 2GB of online storage for free, too, and you can buy more. Sync files of any size or type — Windows, Mac, or Linux — with military grade encryption to transfer and store files.
“Instead of putting documents in ‘My Documents’ on my hard drive, I put them in Dropbox,” one physician told me. “For example, I put all of my transcription into Dropbox and if I get a call after hours, I can pull up the last office note on my iPhone or iPad; you can access everything electronically.”
So the question that many are asking: “Is Dropbox HIPAA compliant?” The short answer is “No”
According to the Dropbox support forums they state:
It’s not an issue that this file could or does expose data because of it’s name. HIPAA only cares about the control measures (or lack or control) put in place to control possible exposure. Because we can see metadata like names, and because that is potentially an area for exposure of confidential info (names etc) we cannot claim to be HIPAA compliant.
POSTED 3 MONTHS AGO #
So it seems that the name of files can be seen by Dropbox. So if you name the file SallyJonesHIVResults.doc they would be able to see the name of the file. It does not appear that they can read the data because it is encrypted on their servers. But seeing the name is one of the Personal Identifiable Information (PII) that needs to be protected under HIPAA.
Audit Controls
As part of the HIPAA security rule technical controls, the ability to audit who has accessed electronic protected health information (ePHI) is required. More specifically:
TYPE: Standard
REFERENCE: 45 CFR 164.312(b)
SECURITY REGULATION STANDARDS LANGUAGE:
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Dropbox does not have any audit controls in place to allow a review of who accessed information that is stored on Dropbox. Without auditing, it is not possible to determine which individuals accessed ePHI. Again this would make Dropbox not HIPAA compliant.
So therefore Dropbox is NOT HIPAA compliant and should not be used to store medical records of any kind.
There are other alternatives to using Dropbox to store electronic protected health information (ePHI). Check out our HIPAA Technology Suite of products that includes HIPAA compliant data backup.
2 Comments
Leave your reply.