Dropbox and HIPAA

[frederick]

I want the straight answer. Is it compliant or not? I've asked and all Dropbox has provided me with is the same BS on website. Now I know others like Box, Office 365, Sharepoint, etc., are compliant, but many of my clients are using Dropbox. On the client-side, things are locked down and compliant. But if Dropbox isn't, whats the point?

I've seen various other websites claiming that Dropbox is not compliant, but when all they show is the addressable stuff, that's not enough for me to go to my clients and say "you have to stop using it".

 

[FremontPC]

Last I heard, they weren't. Easiest for me was Google Apps, turn off everything but Google Drive and put a 256AES bitlockered VHD up there. No prob with the BAA, cheap. But that was for a one-man show.

http://telehealth.org/blog/which-cloud-storage-services-are-hipaa-compliant/

 

[frederick]

I appreciate the response. Needing something more concrete though.

 

[Ed_Zipper]

If they cannot give you a straight answer, then they are NOT.

 

[Markverhyden]

From what I remember one big reason is that there is no auditing with drop box. At least with the free stuff. Part of the HIPAA process is to be able to maintain an audit trail for everything that goes on. Of course, as mentioned, you need to have a BAA from all partners and if they cannot produce a BAA then it does not matter what they do or do not do.

 

[frederick]

if they cannot produce a BAA then it does not matter what they do or do not do.

I think I'm just gonna throw this part out at my clients.

 

[skdmaster]

One option that we did was setup a Synology unit and basically created a private cloud for file exchanges between 3 remote offices to the main office.

 

[callthatgirl]

File Locker is compliant, I tested it, worked pretty good. File shared nicely. Synched up ok

 

[FremontPC]

BAA
Safe Harbor

Don't leave home without it.

 

[Mainstay]

One option that we did was setup a Synology unit and basically created a private cloud for file exchanges between 3 remote offices to the main office.

Can you elaborate? (Not intended to hijack the thread... I can start another or you can pm me...)

 

[ArtemusComputerTechnology]

Hopefully the link below helps.

http://www.hipaasecurenow.com/index.php/dropbox-is-not-hipaa-compliant/

 

[mraikes]

Here's a service that claims to make Dropbox hipaa compliant (encryption, auditing, etc): http://www.sookasa.com/how-it-works/

Looks interesting and reasonably affordable for smaller operations.

 

[mjamike]

Just chiming in to +1 on the comments regarding BAA. If they don't sign a BAA then they aren't compliant.

 

[frederick]

From the Dropbox legal department, this is what the sent back to me:

Hello Frederick,

At this time Dropbox is not in a position to enter into HIPAA Business Associate Agreements with customers.

Dropbox complies with the most widely accepted standards and regulations like ISO 27001 and SOC 1, 2, and 3. You can view our ISO 27001 certificate and SOC 3 at these links:

https://www.dropbox.com/static/business/resources/dropbox-certificate-iso-27001.pdf
https://www.dropbox.com/static/business/resources/dropbox-soc-3.pdf

Our SOC 2 report is available by request under NDA, and covers the Security and Confidentiality trust service principles. Our CSA STAR Level 1 self-assessment, available on the Cloud Security Alliance’s web site, also maps many of our existing practices to several of HIPAA’s regulatory requirements:

https://cloudsecurityalliance.org/star-registrant/dropbox-inc/

For more information on security, compliance, and privacy, see our Dropbox for Business trust guide:

https://www.dropbox.com/business/trust

I hope this helps! Please let us know if you have any other questions.

Regards,
Sterling