On the surface it appears that DropBox would be HIPAA compliant.
As their site states:
- “All transmission of file data occurs over an encrypted channel (SSL).”
- “All files stored on Dropbox are encrypted (AES-256)”
In general this should be sufficient.
Now, DropBox is clear in stating they are not HIPAA compliant, which I’m sure is an attorney driven statement…but…you are going to have a difficult time justifying using service that says they are not HIPAA compliant while claiming you are HIPAA compliant.
The kerfuffle has come about because: no matter how much encryption one uses, the privacy of a patient can still be screwed up…very easily.
Let’s say you have a wonderfully encrypted file, yet you save the file name as the patient’s name.
Yet, using this argument, a fully encrypted CD with PHI stored on it is also not HIPAA compliant IF the patient’s name is written on the CD with a marker.
So the issue here isn’t really that DropBox is not HIPAA compliant, the issue is–no matter how compliant the storage system you use is, that HIPAA compliance can still be defeated quite easily and innocently.
The real answer here is to ensure your office has the proper HIPAA policies and procedures in place to prevent using any Patient Identifiable Information as a “public” name.
To be clear, I’m not a fan of storing PHI on the “cloud”.
But, if a client insists on using the cloud, I will ensure they use procedures that ensure HIPAA compliance.