Dropbox and HIPAA Compliance – How to Protect Your Organization from Liability

Image via Shutterstock.com

Image via Shutterstock.com

Implementing security standards for electronic systems has never been more important for companies working with medical data. From insurance providers to hospital systems, protecting patient information in an increasingly complex environment is an uphill battle.

The rise in popularity amongst individual users of simple, cloud-based file collaboration and backup platforms like Dropbox poses a serious threat to compliance.

Dropbox notes on its official website that it maintains a healthy list of standards and certifications for security and privacy. While it may be true that many of these standards are satisfactory (if not particularly secure) for most casual users, we know from our previous security analysis of cloud-based collaboration solutions that they are far from ideal for corporations, particularly those in compliance-based industries.

Thanks to the magic of website caching, we can see that the same official Dropbox paragraph used to include a specific callout for major industry privacy standards, including HIPAA:

Dropbox complies with the U.S. – E.U. Safe Harbor Framework and the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Dropbox’s storage is SSAE16/SOC1, SOC2, ISAE 3402, and ISO 27001 certified on Amazon S3 and may provide data mirroring across other secure data centers. Dropbox does not currently have HIPAA, FERPA, ISO 9001, or PCI certifications.

Removing the non-compliance statement has not improved the situation for Dropbox. Other cloud-based collaboration suites omit compliance information altogether, making it easy for employees to gloss over in their rush to communicate and work together on sensitive files.

While Dropbox and similar cloud-based collaboration solutions maintain basic compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS), these same services are a far cry from meeting the regulatory and risk needs of businesses that regularly exchange sensitive employee, customer, and patient data.

Despite the hype built up by the well-oiled marketing machine for cloud-based solutions, maintaining a controlled collaboration environment with industry-specific security and privacy standards remains the best solution for document collaboration.

Sound exciting? Try Arc for free now! Get Started