Dropbox and HIPAA/HITECH
The information in this article applies to certain teams on Dropbox Standard, Dropbox Advanced, Dropbox Enterprise, Dropbox Education, Dropbox Business, Dropbox Business Plus, and Dropbox Sign.
What is HIPAA/HITECH?
HIPAA/HITECH refers to two laws:
- The Health Insurance Portability and Accountability Act (1996)
- The Health Information Technology for Economic and Clinical Health Act (2009)
These laws aim to encourage the proliferation of technology in the healthcare industry, while building protections for the security and privacy of health information. Organizations like hospitals, doctors' offices, and dental practices, as well as individuals who interact with protected health information (PHI) may be subject to HIPAA/HITECH. This may also extend to companies that work with these businesses and come into contact with PHI on their behalf.
HIPAA/HITECH key terms
Protected Health Information (PHI)
Individually identifiable information that relates to someone's past, present, or future:
- Medical or psychological condition
- Provision of medical service
- Payments for medical service
Covered entity
A covered entity is a health plan, health care clearinghouse, or health care provider. These categories include hospitals, clinics, doctors, and others who create, receive, or transmit PHI. Because of their contact with PHI, covered entities are responsible for the privacy and security of that information under HIPAA/HITECH.
Business associate
A business associate is an entity which creates, receives, maintains, or transmits PHI on behalf of a covered entity and is therefore also subject to HIPAA/HITECH rules.
Business associate agreement (BAA)
A BAA is a contractual assurance from the business associate to the covered entity that they follow HIPAA's requirements. This agreement must be in place before the transfer of PHI from the covered entity to the business associate.
Is Dropbox HIPAA/HITECH Certified?
There is no official HIPAA/HITECH certification. To help you understand how we're meeting our responsibilities and requirements under HIPAA/HITECH, you can go to our Dropbox Trust Center. This provides prospective and existing customers with self-serve access to essential security, reliability, privacy, and compliance documentation. You can find everything you need to know in a convenient, centralized location.
How to access the Dropbox Trust Center
Note: You can’t use your Dropbox login to access the Dropbox Trust Center.
You’ll need to log in to access all the reports and documentation. To request access:
- Go to trust.dropbox.com.
- Click Get Access in the top right.
- Enter your work email, then click Continue.
- Enter your details and click Submit Request.
Once registered, you can access private and public reports and documents.
Note: You may need to sign a non-disclosure agreement to access certain private documents, but this can be easily done within the Trust Center.
How can I use Dropbox business in a way that's compliant with my obligations under HIPAA/HITECH?
We want to make it as easy as possible for you to learn how to keep your account secure and meet your legal requirements. While ultimately it's up to you make sure that you're complying with your regulatory obligations, we've put together some recommendations to help you keep your data safe and your accounts secured.
Find out more about our internal practices and recommendations for customers who want to meet the requirements of the HIPAA/HITECH Security and Privacy Rules in the Dropbox Trust Center.
You can get tips on how to set up your account to keep data like PHI secured. The framework provides a variety of suggestions covering a variety of topics, including:
- Configuring sharing permissions
- Disabling permanent deletions
- Monitoring account access and activity
- Understanding the role of 3rd party apps
For customers subject to HIPAA/HITECH, remember that a BAA must be in place before you transfer PHI into your Dropbox account. To learn more about purchasing a Dropbox team plan, contact our sales team.
If you're currently an admin of a Dropbox team account, you can sign a BAA electronically from the Account page in the admin console.
Notes:
- The ability to sign an electronic BAA via the Admin Console is available only to US-based customers.
- If your team signs a Business Associate Agreement (BAA), you can't enable reseller support.
- Learn more about enabling reseller support, and the partner reseller program.
How do I set up a business associate agreement with Dropbox?
To learn more about purchasing a Dropbox team plan, contact our sales team. If you're currently an admin of a Dropbox team account, you can sign a BAA electronically from the Account page in the admin console.
Are third-party apps and integrations covered under my BAA with Dropbox team plans?
There is a robust ecosystem of third-party apps that you can link to your Dropbox team account to gain added functionality. Integrations that provide services such as SIEM, DLP, and identity management can be powerful tools in strengthening your existing security practices.
While these third-party apps and integrations can be great complements to your account, it's important to remember that they're not part of our included services. Therefore, they're not covered by your Dropbox terms of use, including a BAA that you might sign with Dropbox. You're responsible for evaluating these apps to determine if using them is consistent with your legal and regulatory requirements. Keep in mind that some apps link to individual accounts, while others can be linked by an admin to your entire team.