in HIPAA Headlines by John Brewer

There seems to be a flurry of activity about whether a cloud storage service called DropBox is HIPAA compliant or not.

On the surface it appears that DropBox would be HIPAA compliant.

As their site states:

  • “All transmission of file data occurs over an encrypted channel (SSL).”
  • “All files stored on Dropbox are encrypted (AES-256)”

In general this should be sufficient.

Now, DropBox is clear in stating they are not HIPAA compliant, which I’m sure is an attorney driven statement…but…you are going to have a difficult time justifying using service that says they are not HIPAA compliant while claiming you are HIPAA compliant.

The kerfuffle has come about because: no matter how much encryption one uses, the privacy of a patient can still be screwed up…very easily.

Let’s say you have a wonderfully encrypted file, yet you save the file name as the patient’s name.


Yet, using this argument, a fully encrypted CD with PHI stored on it is also not HIPAA compliant IF the patient’s name is written on the CD with a marker.

So the issue here isn’t really that DropBox is not HIPAA compliant, the issue is–no matter how compliant the storage system you use is, that HIPAA compliance can still be defeated quite easily and innocently.

The real answer here is to ensure your office has the proper HIPAA policies and procedures in place to prevent using any Patient Identifiable Information as a “public” name.

To be clear, I’m not a fan of storing PHI on the “cloud”.

But, if a client insists on using the cloud, I will ensure they use procedures that ensure HIPAA compliance.


About John Brewer

This author hasn't yet written their biography.
Still we are proud John Brewer contributed 177 great entries.

5 thoughts on “Dropbox HIPAA Compliance
  1. Jack Mogren says:

    I’m not a fan of cloud storage of patient information either. But one wonders that if a physician chooses to go this direction, do they need to pursue a business associate agreement with the storage service? If they tried to do so with Dropbox, I wonder what their response would be. I’d be willing to bet Dropbox, or most any servcie like it, would balk at establising a BAA.

  2. HIPAA Admin says:

    I completely agree that an Associate’s Agreement would make sense in this situation.

    I also would not be surprised if DP didn’t want to sign one.

    I find many vendors balk at signing one, even those that work in the medical industry and should be fully aware of the requirement.

  3. Allan Kap says:

    I create a medical report in my computer and use Dropbox to transfer the file to another authorized computer (treating physician requesting the information), after which I delete the file from the cloud. Is this procedure HIPAA compliant?

  4. John Brewer says:

    No. Until dropbox states in writing that they are HIPAA compliant, you shouldn’t use them. Here is what they say, “Dropbox does not currently have HIPAA…certifications.”

  5. Kerry says:

    Dropbox is convenient for personal use, it is clearly not an enterprise service. For HIPAA compliance, you should look for a more business oriented service such as DriveHQ or Carbonite.

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *